From russell-tcatm at stuart.id.au Sun Jul 1 13:02:31 2007 From: russell-tcatm at stuart.id.au (Russell Stuart) Date: Sun Jul 1 13:03:17 2007 Subject: [LARTC] Re: tc-atm for current 2.6.x kernels? In-Reply-To: <20070628102840.GA2407@amelek.gda.pl> References: <20070628102840.GA2407@amelek.gda.pl> Message-ID: <1183287751.9415.26.camel@ras.pc.stuart.local> On Thu, 2007-06-28 at 12:28 +0200, Marek Michalkiewicz wrote: > Do you have an updated version of your patches for the latest > kernel (soon to be 2.6.22), iptables and iproute? Or can the > current patches be safely applied (with some merging by hand, > but no significant changes) to the latest sources? No, not yet. But I am in the process or moving my production systems from Debian Sarge to Etch. In the course of doing that I will produce modified patches. > One more thing: I'd like to do some shaping inside as well, to > help performance of the wireless LAN. So no ATM cell overhead, > but I'm just wondering: what would be the reasonable packet > overhead value to specify in HTB for 802.11b WLAN at 11 Mb/s? I don't know. But I am not sure it matters. The issue you face is HTB, and indeed most qdisc's except perhaps SFQ need to have an accurate idea of the links capacity. In fact, ensuring the kernels idea of the link capacity is accurate for ADSL lines was the entire point of the ATM patches. Any improvement it produces is purely because of the benefit that comes from the improvement in kernels link capacity measurements. So the question you are really asking is "what overhead value will make the kernels idea of a wireless connection accurate". The answer is: none. The capacity of a wireless connection fluctuates greatly. For example, it will go down someone turns a microwave oven on, or if someone walks by with cell phone with bluetooth turned on. Compared to these real-life functions the frame overhead is just noise. What you need is a qdisc that doesn't require the link capacity specified when it is created, but instead infers it from the current transmission rates. HTB does make scheduling decisions like this when the link is over committed, but it is strictly on a priority basis, ie like the existing pfifo_fast qdisc. I imagine this isn't flexible enough for you. I don't know of any that is. But I haven't looked at HFSC closely. I an cc'ing this to the list. There are people there who know more the various qdisc's than me. From rez at eliezedeck.com Sun Jul 1 19:53:10 2007 From: rez at eliezedeck.com (R. Elie Zedeck) Date: Sun Jul 1 19:55:23 2007 Subject: [LARTC] Routing help Message-ID: <4687EA06.8090308@eliezedeck.com> Hi, I need a help on Linux routing, if you have some sparse time. I'm based in Madagascar and my English is not good; so please forgive me. *What I want to come-up with: *My main goal is to download using two modems at the same time, and combining their bandwidth, but I have failed miserably. The reason is this: our country is still using poor slow internets, and I have seen on the Internet the various ways of combining several Internet connections into one single connection, to get a higher bandwidth. *What I have:* I have 2 modem, 2 accounts on the 1 same ISP. I have tried using openSUSE 10.2 and Gentoo 2007.0, but none of them satisfied my deep need. *What I have tried already:* I have been spending days on the Routing guide that you provided on http://lartc.org/howto/, but I have failed miserably to make it work, and my Internet connection is all broken when I try it. I'm not a Network expert, and I'm so confused by what all the addresses, interfaces, ... that need to be configured. Multilinking doesn't work either, and so, routing is the last resort. *The problems that I'm facing:* My connection is broken whenever I tried using the multilinking routing techniques that you showed on the site. And I thus have to reboot everytime it gets broken. Here is what my ip shows me, as you instructed in the guide: _Using 1 modem only: _ # ip route show 2.2.2.2 dev ppp0 proto kernel scope link src 62.56.163.150 127.0.0.0/8 dev lo scope link default via 2.2.2.2 dev ppp0 # ip link show 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 18: ppp0: mtu 1500 qdisc pfifo_fast qlen 3 link/ppp _Using both modem:_ # ip route show 2.2.2.2 dev ppp0 proto kernel scope link src 62.56.163.150 2.2.2.2 dev ppp1 proto kernel scope link src 62.56.163.135 127.0.0.0/8 dev lo scope link default via 2.2.2.2 dev ppp0 # ip link show 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 18: ppp0: mtu 1500 qdisc pfifo_fast qlen 3 link/ppp 19: ppp1: mtu 1500 qdisc pfifo_fast qlen 3 link/ppp I'm just asking you to help me, of course, if you have time. I'm desperate to have this thing working, and I can issue any commands that you ask into my system, if you need to. Thanks a lot. Zedeck. PS: Current system is Gentoo 2007.0. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070701/baa8fbd8/attachment.html From rez at eliezedeck.com Sun Jul 1 19:56:49 2007 From: rez at eliezedeck.com (R. Elie Zedeck) Date: Sun Jul 1 19:57:45 2007 Subject: [LARTC] Routing help Message-ID: <4687EAE1.1020407@eliezedeck.com> Hi, I need a help on Linux routing, if you have some sparse time. I'm based in Madagascar and my English is not good; so please forgive me. *What I want to come-up with: *My main goal is to download using two modems at the same time, and combining their bandwidth, but I have failed miserably. The reason is this: our country is still using poor slow internets, and I have seen on the Internet the various ways of combining several Internet connections into one single connection, to get a higher bandwidth. *What I have:* I have 2 modem, 2 accounts on the 1 same ISP. I have tried using openSUSE 10.2 and Gentoo 2007.0, but none of them satisfied my deep need. *What I have tried already:* I have been spending days on the Routing guide that you provided on http://lartc.org/howto/, but I have failed miserably to make it work, and my Internet connection is all broken when I try it. I'm not a Network expert, and I'm so confused by what all the addresses, interfaces, ... that need to be configured. Multilinking doesn't work either, and so, routing is the last resort. *The problems that I'm facing:* My connection is broken whenever I tried using the multilinking routing techniques that you showed on the site. And I thus have to reboot everytime it gets broken. Here is what my ip shows me, as you instructed in the guide: _Using 1 modem only: _ # ip route show 2.2.2.2 dev ppp0 proto kernel scope link src 62.56.163.150 127.0.0.0/8 dev lo scope link default via 2.2.2.2 dev ppp0 # ip link show 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 18: ppp0: mtu 1500 qdisc pfifo_fast qlen 3 link/ppp _Using both modem:_ # ip route show 2.2.2.2 dev ppp0 proto kernel scope link src 62.56.163.150 2.2.2.2 dev ppp1 proto kernel scope link src 62.56.163.135 127.0.0.0/8 dev lo scope link default via 2.2.2.2 dev ppp0 # ip link show 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 18: ppp0: mtu 1500 qdisc pfifo_fast qlen 3 link/ppp 19: ppp1: mtu 1500 qdisc pfifo_fast qlen 3 link/ppp I'm just asking you to help me, of course, if you have time. I'm desperate to have this thing working, and I can issue any commands that you ask into my system, if you need to. Thanks a lot. Zedeck. PS: Current system is Gentoo 2007.0. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070701/fe0591cf/attachment.htm From augustopaulo at hotmail.com Sun Jul 1 22:01:16 2007 From: augustopaulo at hotmail.com (Paulo Augusto) Date: Sun Jul 1 22:01:33 2007 Subject: [LARTC] FW filter unused/unloaded ??? Message-ID: Hi all. I've written a small htb script that uses U32 and FW (marked by IPTABLES) filters, but TC doesn't seem to be using the "cls_fw.o" module !!! I'm using redhat v9.0, kernel 2.4.8-20, iproute 2.4.7-7. Here is my script: ========================================================== ##################### #Interface definition ##################### #interface="ppp0" interface="eth0" ##################### #Addresses definition ##################### ip_src="192.168.1.240" #ip_src2="225.0.7.110" ######################################### #Delete any previous stored configuration ######################################### tc qdisc del dev $interface root ######################################## #Creating the root Qdisc (Queueing Disk) ######################################## tc qdisc add dev $interface root handle 1: htb default 14 ###################### #Definition of classes ###################### tc class add dev $interface parent 1: classid 1:1 htb rate 28800bps ceil 28800bps tc class add dev $interface parent 1:1 classid 1:10 htb rate 1bps ceil 1bps prio 4 tc class add dev $interface parent 1:1 classid 1:11 htb rate 1bps ceil 28800bps prio 2 tc class add dev $interface parent 1:1 classid 1:12 htb rate 1bps ceil 28800bps prio 4 tc class add dev $interface parent 1:1 classid 1:13 htb rate 1bps ceil 28800bps prio 4 tc class add dev $interface parent 1:1 classid 1:14 htb rate 2000bps ceil 3000bps prio 2 ########################## #Definition of the filters ########################## tc filter add dev $interface protocol ip parent 1:0 prio 1 u32 match ip src $ip_src match ip dport 20000 0xffff flowid 1:10 tc filter add dev $interface protocol ip parent 1:0 prio 1 u32 match ip src $ip_src match ip dport 20001 0xffff flowid 1:11 tc filter add dev $interface protocol ip parent 1:0 prio 1 u32 match ip src $ip_src match ip dport 20002 0xffff flowid 1:12 tc filter add dev $interface protocol ip parent 1:0 prio 1 u32 match ip src $ip_src match ip dport 20003 0xffff flowid 1:13 tc filter add dev $interface parent 1:0 protocol ip prio 1 handle 7 fw flowid 1:14 tc qdisc add dev $interface parent 1:10 handle 20: pfifo limit 5 tc qdisc add dev $interface parent 1:11 handle 30: pfifo limit 5 tc qdisc add dev $interface parent 1:12 handle 40: sfq perturb 10 tc qdisc add dev $interface parent 1:13 handle 50: sfq perturb 10 tc qdisc add dev $interface parent 1:14 handle 50: sfq perturb 10 =========================================================== After executing this script I get the following modules loaded in memory: =========================================================== Module Size Used by Tainted: PF sch_sfq 4096 2 (autoclean) cls_u32 6300 1 (autoclean) sch_htb 22016 1 (autoclean) =========================================================== After that I manually load (insmod) the FW module and executed that script again, but it kept showing that It is still unused/unloaded !!! =========================================================== Module Size Used by Tainted: PF cls_fw 3512 0 (unused) sch_sfq 4096 2 (autoclean) cls_u32 6300 1 (autoclean) sch_htb 22016 1 (autoclean) =========================================================== Also if I try to see the actual loaded filters by TC I get this: =========================================================== filter parent 1: protocol ip pref 1 u32 filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:10 match c0a801f0/ffffffff at 12 match 00004e20/0000ffff at 20 filter parent 1: protocol ip pref 1 u32 fh 800::801 order 2049 key ht 800 bkt 0 flowid 1:11 match c0a801f0/ffffffff at 12 match 00004e21/0000ffff at 20 filter parent 1: protocol ip pref 1 u32 fh 800::802 order 2050 key ht 800 bkt 0 flowid 1:12 match c0a801f0/ffffffff at 12 match 00004e22/0000ffff at 20 filter parent 1: protocol ip pref 1 u32 fh 800::803 order 2051 key ht 800 bkt 0 flowid 1:13 match c0a801f0/ffffffff at 12 match 00004e23/0000ffff at 20 =========================================================== So I'm to assume that the filter FW (flowid 1:14) isn't being loaded ? I cannot increase the kernel version number due to be using a binary driver from a mpeg4 capture board. Can someone please help ? Thanks in advance. Best regards, Paulo _________________________________________________________________ Comunica??o sem fronteiras - converse agora tamb?m com os amigos que tem no Yahoo!. http://get.live.com/pt-pt/messenger/overview -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070701/5cfda063/attachment.html From raju at linux-delhi.org Mon Jul 2 09:48:22 2007 From: raju at linux-delhi.org (Raj Mathur) Date: Mon Jul 2 09:48:54 2007 Subject: [LARTC] Multicast routing problem Message-ID: <200707021318.22311.raju@linux-delhi.org> Hi, I'm trying to route multicast between 2 LANs using a GRE tunnel. The setup is: B to C is a GRE tunnel running over PPPoE. B is the multicast router. A is on the same LAN as B. The same ethernet adapter is used for both the LAN and PPPoE connections. I've setup smcroute since I only need static routing. Multicasts sent from C (the remote machine) to B over the tunnel are properly routed by B and available over the LAN to A. However, multicast packets generated by A (on the LAN), while received at B, are not routed to over the tunnel to C. The multicast routes look fine, and I can see the input counters growing when I receive multicasts on the LAN. However tcpdump does not show any activity on the tunnel, the packets just seem to get dropped at B. Kernel 2.6.16. Any help appreciated. Regards, -- Raju -- Raj Mathur ? ? ? ? ? ?raju@kandalaya.org ? http://kandalaya.org/ ? ? ? ?GPG: 78D4 FC67 367F 40E2 0DD5 ?0FEF C968 D0EF CC68 D17F ? ? ? ? ? ? ? ? ? ? ? It is the mind that moves From thuleau at gmail.com Mon Jul 2 12:11:23 2007 From: thuleau at gmail.com (Edouard Thuleau) Date: Mon Jul 2 12:11:33 2007 Subject: [LARTC] Kernel Packet Traveling Diagram Message-ID: <81c11a560707020311q7c1241f6n504d68b00db6cd3c@mail.gmail.com> Hi, I find this diagram which details the kernel packet traveling : http://www.docum.org/docum.org/kptd/ Is it up to date ? I made some test and I put a DNAT rules in the PREROUTING table of an interface and I attach it a ingress policy, the dst IP wasn't changed. the DNAT it isn't yet make. I've another question (I'm not sure is it the good mailing list), for the fragment packet, I see the ingress policy doesn't work correctly and I'd like to know where in the kernel travel of the packet the fragment are re-assemble ? At the NAT or in the routing ? Thanks, Edouard. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070702/bca6a8f2/attachment.htm From thuleau at gmail.com Mon Jul 2 14:04:33 2007 From: thuleau at gmail.com (Edouard Thuleau) Date: Mon Jul 2 14:04:40 2007 Subject: [LARTC] Kernel Packet Traveling Diagram In-Reply-To: References: <81c11a560707020311q7c1241f6n504d68b00db6cd3c@mail.gmail.com> Message-ID: <81c11a560707020504m5132decdxa7a851c3bf5e8306@mail.gmail.com> Thanks, I know the older version of this diagram and this one is quite the same I told below but the problem is the same for the DNAT. I made another test. I change the DSCP value in the PREROUTING table and I put an ingress policing which match this new dscp value but the filter doesn't match nothing (I work on a Linux 2.6.17). With my test, the older version ( http://www.imagestream.com/~josh/PacketFlow.jpg) of the diagram seams more exactly. Have you an idea ? 2007/7/2, nano bug : > > Hello, > > I find this one more useful : > > http://www.imagestream.com/~josh/PacketFlow-new.png > > On 7/2/07, Edouard Thuleau wrote: > > > Hi, > > > > I find this diagram which details the kernel packet traveling : > > http://www.docum.org/docum.org/kptd/ > > Is it up to date ? > > I made some test and I put a DNAT rules in the PREROUTING table of an > > interface and I attach it a ingress policy, the dst IP wasn't changed. the > > DNAT it isn't yet make. > > > > I've another question (I'm not sure is it the good mailing list), for > > the fragment packet, I see the ingress policy doesn't work correctly and I'd > > like to know where in the kernel travel of the packet the fragment are > > re-assemble ? At the NAT or in the routing ? > > > > Thanks, > > Edouard. > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070702/e8852fdf/attachment.html From linnewbye at gmail.com Mon Jul 2 14:11:44 2007 From: linnewbye at gmail.com (nano bug) Date: Mon Jul 2 14:11:55 2007 Subject: [LARTC] Kernel Packet Traveling Diagram In-Reply-To: <81c11a560707020504m5132decdxa7a851c3bf5e8306@mail.gmail.com> References: <81c11a560707020311q7c1241f6n504d68b00db6cd3c@mail.gmail.com> <81c11a560707020504m5132decdxa7a851c3bf5e8306@mail.gmail.com> Message-ID: Hello, Can you post the scripts you are using ? On 7/2/07, Edouard Thuleau wrote: > > Thanks, > I know the older version of this diagram and this one is quite the same I > told below but the problem is the same for the DNAT. I made another test. I > change the DSCP value in the PREROUTING table and I put an ingress policing > which match this new dscp value but the filter doesn't match nothing (I work > on a Linux 2.6.17). > With my test, the older version (http://www.imagestream.com/~josh/PacketFlow.jpg) > of the diagram seams more exactly. > > Have you an idea ? > > 2007/7/2, nano bug : > > > > Hello, > > > > I find this one more useful : > > > > http://www.imagestream.com/~josh/PacketFlow-new.png > > > > On 7/2/07, Edouard Thuleau wrote: > > > > > Hi, > > > > > > I find this diagram which details the kernel packet traveling : > > > http://www.docum.org/docum.org/kptd/ > > > Is it up to date ? > > > I made some test and I put a DNAT rules in the PREROUTING table of an > > > interface and I attach it a ingress policy, the dst IP wasn't changed. the > > > DNAT it isn't yet make. > > > > > > I've another question (I'm not sure is it the good mailing list), for > > > the fragment packet, I see the ingress policy doesn't work correctly and I'd > > > like to know where in the kernel travel of the packet the fragment are > > > re-assemble ? At the NAT or in the routing ? > > > > > > Thanks, > > > Edouard. > > > > > > _______________________________________________ > > > LARTC mailing list > > > LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070702/516cea42/attachment.htm From markdv.lartc at asphyx.net Mon Jul 2 14:25:25 2007 From: markdv.lartc at asphyx.net (Mark) Date: Mon Jul 2 14:25:34 2007 Subject: [LARTC] Kernel Packet Traveling Diagram In-Reply-To: <81c11a560707020504m5132decdxa7a851c3bf5e8306@mail.gmail.com> References: <81c11a560707020311q7c1241f6n504d68b00db6cd3c@mail.gmail.com> <81c11a560707020504m5132decdxa7a851c3bf5e8306@mail.gmail.com> Message-ID: On Mon, 2 Jul 2007, Edouard Thuleau wrote: > Thanks, > I know the older version of this diagram and this one is quite the same I > told below but the problem is the same for the DNAT. I made another test. I > change the DSCP value in the PREROUTING table and I put an ingress policing > which match this new dscp value but the filter doesn't match nothing (I work > on a Linux 2.6.17). > With my test, the older version ( > http://www.imagestream.com/~josh/PacketFlow.jpg) > of the diagram seams more exactly. Don't know where I got this, but for as long as I can remember I've had this at the top of my scrips as a sort of quick ref. :) # --->PRE------>[ROUTE]--->FWD---------->POST------> # Conntrack | Mangle ^ Mangle # Mangle | Filter | NAT (Src) # NAT (Dst) | | # (QDisc) | [ROUTE] # v | # IN Mangle OUT Conntrack # | Filter ^ Mangle # | | NAT (Dst) # v | Filter Regards, Mark. > Have you an idea ? > > 2007/7/2, nano bug : >> >> Hello, >> >> I find this one more useful : >> >> http://www.imagestream.com/~josh/PacketFlow-new.png >> >> On 7/2/07, Edouard Thuleau wrote: >> >> > Hi, >> > >> > I find this diagram which details the kernel packet traveling : >> > http://www.docum.org/docum.org/kptd/ >> > Is it up to date ? >> > I made some test and I put a DNAT rules in the PREROUTING table of an >> > interface and I attach it a ingress policy, the dst IP wasn't changed. >> the >> > DNAT it isn't yet make. >> > >> > I've another question (I'm not sure is it the good mailing list), for >> > the fragment packet, I see the ingress policy doesn't work correctly and >> I'd >> > like to know where in the kernel travel of the packet the fragment are >> > re-assemble ? At the NAT or in the routing ? >> > >> > Thanks, >> > Edouard. >> > >> > _______________________________________________ >> > LARTC mailing list >> > LARTC@mailman.ds9a.nl >> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> > >> > >> > From sunnyboyfrank at web.de Mon Jul 2 14:47:55 2007 From: sunnyboyfrank at web.de (Frank Remetter) Date: Mon Jul 2 14:47:59 2007 Subject: [LARTC] Kernel Packet Traveling Diagram In-Reply-To: <81c11a560707020311q7c1241f6n504d68b00db6cd3c@mail.gmail.com> References: <81c11a560707020311q7c1241f6n504d68b00db6cd3c@mail.gmail.com> Message-ID: <20070702144755.5aa905a9@ocean.remetter.homelinux.org> Hey, > I find this diagram which details the kernel packet traveling : > http://www.docum.org/docum.org/kptd/ there's also one from the iptables-tutorial: http://iptables-tutorial.frozentux.net/images/tables_traverse.jpg Greets -- Frank Remetter http://www.remetter.de/ GPG-FP: 2B07 B7D8 5C27 AB94 7A37 8B0B DEBE DD89 D68B 7BE6 From linnewbye at gmail.com Mon Jul 2 17:08:23 2007 From: linnewbye at gmail.com (nano bug) Date: Mon Jul 2 17:08:30 2007 Subject: [LARTC] Kernel Packet Traveling Diagram In-Reply-To: <81c11a560707020527y71e37843pf3d474055e60eab@mail.gmail.com> References: <81c11a560707020311q7c1241f6n504d68b00db6cd3c@mail.gmail.com> <81c11a560707020504m5132decdxa7a851c3bf5e8306@mail.gmail.com> <81c11a560707020527y71e37843pf3d474055e60eab@mail.gmail.com> Message-ID: Hello, Can you post a "tc -s -d filter ls dev nas0" ? On 7/2/07, Edouard Thuleau wrote: > > Yes, > This one was for the DSCP re-marking : > > iptables -t mangle -A PREROUTING -i nas0 -d 192.168.43.2 -j DSCP > --set-dscp 0x08 > > $TC qdisc add dev nas0 handle ffff: ingress > $TC filter add dev nas0 parent ffff: protocol ip prio 1 u32 match ip > tos 0x20 0xff police rate 200kbit burst 1k drop flowid :1 > > and this one with a DNAT rule : > > iptables -t nat -A PREROUTING -i nas0 -p udp --dport 11112 -j DNAT > --to-destination 192.168.1.10 > > $TC qdisc add dev nas0 handle ffff: ingress > $TC filter add dev nas0 parent ffff: protocol ip prio 1 u32 match ip > dst 192.168.1.10 police rate 200kbit burst 1k drop flowid :1 > > > 2007/7/2, nano bug : > > > > Hello, > > > > Can you post the scripts you are using ? > > > > On 7/2/07, Edouard Thuleau wrote: > > > > > > Thanks, > > > I know the older version of this diagram and this one is quite the > > > same I told below but the problem is the same for the DNAT. I made another > > > test. I change the DSCP value in the PREROUTING table and I put an ingress > > > policing which match this new dscp value but the filter doesn't match > > > nothing (I work on a Linux 2.6.17). > > > With my test, the older version (http://www.imagestream.com/~josh/PacketFlow.jpg) > > > of the diagram seams more exactly. > > > > > > Have you an idea ? > > > > > > 2007/7/2, nano bug < linnewbye@gmail.com >: > > > > > > > > Hello, > > > > > > > > I find this one more useful : > > > > > > > > http://www.imagestream.com/~josh/PacketFlow-new.png > > > > > > > > On 7/2/07, Edouard Thuleau wrote: > > > > > > > > > Hi, > > > > > > > > > > I find this diagram which details the kernel packet traveling : > > > > > http://www.docum.org/docum.org/kptd/ > > > > > Is it up to date ? > > > > > I made some test and I put a DNAT rules in the PREROUTING table of > > > > > an interface and I attach it a ingress policy, the dst IP wasn't changed. > > > > > the DNAT it isn't yet make. > > > > > > > > > > I've another question (I'm not sure is it the good mailing list), > > > > > for the fragment packet, I see the ingress policy doesn't work correctly and > > > > > I'd like to know where in the kernel travel of the packet the fragment are > > > > > re-assemble ? At the NAT or in the routing ? > > > > > > > > > > Thanks, > > > > > Edouard. > > > > > > > > > > _______________________________________________ > > > > > LARTC mailing list > > > > > LARTC@mailman.ds9a.nl > > > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070702/106fa59a/attachment.html From christian.benvenuti at libero.it Mon Jul 2 22:01:11 2007 From: christian.benvenuti at libero.it (Christian Benvenuti) Date: Mon Jul 2 21:56:36 2007 Subject: [LARTC] Re: FW filter unused/unloaded ??? Message-ID: <1183406471.10411.13.camel@benve-laptop> >########################## >#Definition of the filters >########################## >tc filter add dev $interface protocol ip parent 1:0 prio 1 u32 match ip src $ip_src match ip dport 20000 0xffff flowid 1:10 >tc filter add dev $interface protocol ip parent 1:0 prio 1 u32 match ip src $ip_src match ip dport 20001 0xffff flowid 1:11 >tc filter add dev $interface protocol ip parent 1:0 prio 1 u32 match ip src $ip_src match ip dport 20002 0xffff flowid 1:12 >tc filter add dev $interface protocol ip parent 1:0 prio 1 u32 match ip src $ip_src match ip dport 20003 0xffff flowid 1:13 >tc filter add dev $interface parent 1:0 protocol ip prio 1 handle 7 fw flowid 1:14 ^^^^^^ The command that creates the FW filter is supposed to fail because it has the same "protocol ip" and "prio 1" as the U32 filter above (which is not allowed). Try changing priority. Regards /Christian [ http://benve.info ] From fernando.serto at memetrics.com Tue Jul 3 02:51:39 2007 From: fernando.serto at memetrics.com (Fernando Serto) Date: Tue Jul 3 02:51:46 2007 Subject: [LARTC] QoS + OpenVPN Message-ID: Hi, I've got 3 questions: 1) is it possible to do QoS and OpenVPN? I thought about doing QoS based on IP, as there's a couple of servers here that need to be on a higher priority. 2) can anyone point me to a decent QoS how-to? 3) damn, I can't remember what this one was. :o) Cheers, Fernando From ja at ssi.bg Tue Jul 3 09:38:12 2007 From: ja at ssi.bg (Julian Anastasov) Date: Tue Jul 3 09:38:18 2007 Subject: [LARTC] Using Julian Anastasov's 'routes' patches on 2.4 kernel in conjunction with IPSec In-Reply-To: <200706281536.59960.seba@mfdlabs.ro> References: <200706251447.51518.seba@mfdlabs.ro> <200706281536.59960.seba@mfdlabs.ro> Message-ID: Hello, On Thu, 28 Jun 2007, Seba Tiponut wrote: > The _updown script is only called when a tunnel is brough up or down, but the > problem I am having is not related to a tunnel, but to routing before any > tunnel gets established. > I mean that even a configuration with only one tunnel that is listening is > creating problems because both StrongSWAN and OpenSWAN add IP addresses on > the ipsecN interface that are identical to the ones on the real interface > (ethN). I think the problem is related to the presence of the ipsecN > interface in KLIPS (linux-2.4). On 2.6 kernels there is no such interface and > consequently there is no "conflict". Is there any real solution to this > problem? Long time ago it was in _startklips. I used something like this: ip link set ipsec0 down ip addr flush dev ipsec0 # It is safe to add all local GW IPs here, always with /32 ip addr add LOCAL_GW_IP/32 dev ipsec0 scope host label ipsecXXX ip link set ipsec0 up or ifconfig ipsec0 0.0.0.0 up should be enough. I.e. you still need some IP on ipsec devices but don't duplicate eth networks there. > On the other hand, my understanding of the solution you gave me (inserting a > rule "from LNET to RNET") is that it can be applied once the tunnel is up. > However, would you care to elaborate more on this case as well? Well, I found something in my sent-mail archives: You need 2 ip rules and one routing table for all ipsec devices, eg: # The traffic between gateways is not via ipsec device, i.e. # NORMAL_TABLE can be "main" ip rule add prio 100 from LOCAL_GW to REMOTE_GW1 table NORMAL_TABLE # Negotiated lnet-rnet goes via ipsec device ip rule add prio 200 from LNET1 to RNET1 table IPSEC_TABLE ip route add RNET1 dev ipsec0 table IPSEC_TABLE # There is no "via LOCAL_GW" in the route # Another tunnel: ip rule add prio 100 from LOCAL_GW to REMOTE_GW2 table NORMAL_TABLE ip rule add prio 200 from LNET2 to RNET2 table IPSEC_TABLE ip route add RNET2 dev ipsec1 table IPSEC_TABLE So, you have: - exception rules that route the ESP traffic via its normal routing table (ethXXX) - negotiated nets go via ipsec devices where we do not have gateways, plain device route - all routes to RNETs can be in same table where all ipsec devices are used in routes but it can be changed to have different tables per each ipsec device (in case same RNET is negotiated via different ipsec devices) There is a benefit: if the LGW box has local IP from LNET then it can reach the RNET via ipsec device. You do this by specifying "src LNET_IP" for all routes via ipsec devices if you really have local IP from this lnet (which is common), so it is better to always have "src lnet_IP" in all routes in table IPSEC_TABLE. As result, you have all possible data to give the right information to the routing: - LGW are not routed via ipsec devices - RNET sees valid lnet_IP when your gateway talks to RNET via ipsec (allowing even masquerade for LNET boxes to be used when talking with RNET). Hope that helps! > Cheers, > Seba. Regards -- Julian Anastasov From thuleau at gmail.com Tue Jul 3 13:41:19 2007 From: thuleau at gmail.com (Edouard Thuleau) Date: Tue Jul 3 13:41:33 2007 Subject: [LARTC] Kernel Packet Traveling Diagram In-Reply-To: References: <81c11a560707020311q7c1241f6n504d68b00db6cd3c@mail.gmail.com> <81c11a560707020504m5132decdxa7a851c3bf5e8306@mail.gmail.com> <81c11a560707020527y71e37843pf3d474055e60eab@mail.gmail.com> Message-ID: <81c11a560707030441w7e1ab328l7b148157dcfe6682@mail.gmail.com> Hi, I haven't the output of the "ls" with me. The packet was fragment in three parts, and I send 40 packets and I can see 40 packets in the filter, 80 in the qdisc and 40 in the Iptables rule (mangle dscp). So, for me me Ingress QoS takes place before the NAT and the mangle table. I made other tests and I think I identified where the re-assembly of fragment packet is made. I put a simple Iptables rule (mangle dscp) and I verify the conntrack was disable (unload the module). I send 40 packets fragmented in two parts in the interface eth0 (MTU 1000 and packets size 1028). The counter of the Iptables rule count 80 packets and the packets go out by the eth1 interface (MTU 1500) but the packets stay fragmented. If try this test with the conntrack module loaded, the counter of Iptables rule count 40 packets and the packets are re-assembled when they go out by the eth1 interface. So, I think it's the conntrack system which re-assemble the fragmented packet. 2007/7/2, nano bug : > > Hello, > > Can you post a "tc -s -d filter ls dev nas0" ? > > > On 7/2/07, Edouard Thuleau wrote: > > > > Yes, > > This one was for the DSCP re-marking : > > > > iptables -t mangle -A PREROUTING -i nas0 -d 192.168.43.2 -j DSCP > > --set-dscp 0x08 > > > > $TC qdisc add dev nas0 handle ffff: ingress > > $TC filter add dev nas0 parent ffff: protocol ip prio 1 u32 match ip > > tos 0x20 0xff police rate 200kbit burst 1k drop flowid :1 > > > > and this one with a DNAT rule : > > > > iptables -t nat -A PREROUTING -i nas0 -p udp --dport 11112 -j DNAT > > --to-destination 192.168.1.10 > > > > $TC qdisc add dev nas0 handle ffff: ingress > > $TC filter add dev nas0 parent ffff: protocol ip prio 1 u32 match ip > > dst 192.168.1.10 police rate 200kbit burst 1k drop flowid :1 > > > > > > 2007/7/2, nano bug : > > > > > > Hello, > > > > > > Can you post the scripts you are using ? > > > > > > On 7/2/07, Edouard Thuleau wrote: > > > > > > > > Thanks, > > > > I know the older version of this diagram and this one is quite the > > > > same I told below but the problem is the same for the DNAT. I made another > > > > test. I change the DSCP value in the PREROUTING table and I put an ingress > > > > policing which match this new dscp value but the filter doesn't match > > > > nothing (I work on a Linux 2.6.17). > > > > With my test, the older version (http://www.imagestream.com/~josh/PacketFlow.jpg) > > > > of the diagram seams more exactly. > > > > > > > > Have you an idea ? > > > > > > > > 2007/7/2, nano bug < linnewbye@gmail.com >: > > > > > > > > > > Hello, > > > > > > > > > > I find this one more useful : > > > > > > > > > > http://www.imagestream.com/~josh/PacketFlow-new.png > > > > > > > > > > On 7/2/07, Edouard Thuleau wrote: > > > > > > > > > > > Hi, > > > > > > > > > > > > I find this diagram which details the kernel packet traveling : > > > > > > http://www.docum.org/docum.org/kptd/ > > > > > > Is it up to date ? > > > > > > I made some test and I put a DNAT rules in the PREROUTING table > > > > > > of an interface and I attach it a ingress policy, the dst IP wasn't changed. > > > > > > the DNAT it isn't yet make. > > > > > > > > > > > > I've another question (I'm not sure is it the good mailing > > > > > > list), for the fragment packet, I see the ingress policy doesn't work > > > > > > correctly and I'd like to know where in the kernel travel of the packet the > > > > > > fragment are re-assemble ? At the NAT or in the routing ? > > > > > > > > > > > > Thanks, > > > > > > Edouard. > > > > > > > > > > > > _______________________________________________ > > > > > > LARTC mailing list > > > > > > LARTC@mailman.ds9a.nl > > > > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > > > > > > > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070703/1084f1ac/attachment.htm From thuleau at gmail.com Tue Jul 3 14:16:55 2007 From: thuleau at gmail.com (Edouard Thuleau) Date: Tue Jul 3 14:17:08 2007 Subject: [LARTC] Kernel Packet Traveling Diagram In-Reply-To: <81c11a560707030441w7e1ab328l7b148157dcfe6682@mail.gmail.com> References: <81c11a560707020311q7c1241f6n504d68b00db6cd3c@mail.gmail.com> <81c11a560707020504m5132decdxa7a851c3bf5e8306@mail.gmail.com> <81c11a560707020527y71e37843pf3d474055e60eab@mail.gmail.com> <81c11a560707030441w7e1ab328l7b148157dcfe6682@mail.gmail.com> Message-ID: <81c11a560707030516k33fe841cm28492d07d112c8f0@mail.gmail.com> I made a mistake in the first part of my answer. It's 120 for the counter of the qdisc. 2007/7/3, Edouard Thuleau : > > Hi, > > I haven't the output of the "ls" with me. > The packet was fragment in three parts, and I send 40 packets and I can > see 40 packets in the filter, 80 in the qdisc and 40 in the Iptables rule > (mangle dscp). So, for me me Ingress QoS takes place before the NAT and the > mangle table. > > I made other tests and I think I identified where the re-assembly of > fragment packet is made. > I put a simple Iptables rule (mangle dscp) and I verify the conntrack was > disable (unload the module). I send 40 packets fragmented in two parts in > the interface eth0 (MTU 1000 and packets size 1028). The counter of the > Iptables rule count 80 packets and the packets go out by the eth1 interface > (MTU 1500) but the packets stay fragmented. > If try this test with the conntrack module loaded, the counter of Iptables > rule count 40 packets and the packets are re-assembled when they go out by > the eth1 interface. > So, I think it's the conntrack system which re-assemble the fragmented > packet. > > 2007/7/2, nano bug : > > > > Hello, > > > > Can you post a "tc -s -d filter ls dev nas0" ? > > > > > > On 7/2/07, Edouard Thuleau < thuleau@gmail.com> wrote: > > > > > > Yes, > > > This one was for the DSCP re-marking : > > > > > > iptables -t mangle -A PREROUTING -i nas0 -d 192.168.43.2 -j DSCP > > > --set-dscp 0x08 > > > > > > $TC qdisc add dev nas0 handle ffff: ingress > > > $TC filter add dev nas0 parent ffff: protocol ip prio 1 u32 match > > > ip tos 0x20 0xff police rate 200kbit burst 1k drop flowid :1 > > > > > > and this one with a DNAT rule : > > > > > > iptables -t nat -A PREROUTING -i nas0 -p udp --dport 11112 -j DNAT > > > --to-destination 192.168.1.10 > > > > > > $TC qdisc add dev nas0 handle ffff: ingress > > > $TC filter add dev nas0 parent ffff: protocol ip prio 1 u32 match > > > ip dst 192.168.1.10 police rate 200kbit burst 1k drop flowid :1 > > > > > > > > > 2007/7/2, nano bug : > > > > > > > > Hello, > > > > > > > > Can you post the scripts you are using ? > > > > > > > > On 7/2/07, Edouard Thuleau wrote: > > > > > > > > > > Thanks, > > > > > I know the older version of this diagram and this one is quite the > > > > > same I told below but the problem is the same for the DNAT. I made another > > > > > test. I change the DSCP value in the PREROUTING table and I put an ingress > > > > > policing which match this new dscp value but the filter doesn't match > > > > > nothing (I work on a Linux 2.6.17). > > > > > With my test, the older version (http://www.imagestream.com/~josh/PacketFlow.jpg) > > > > > of the diagram seams more exactly. > > > > > > > > > > Have you an idea ? > > > > > > > > > > 2007/7/2, nano bug < linnewbye@gmail.com >: > > > > > > > > > > > > Hello, > > > > > > > > > > > > I find this one more useful : > > > > > > > > > > > > http://www.imagestream.com/~josh/PacketFlow-new.png > > > > > > > > > > > > On 7/2/07, Edouard Thuleau wrote: > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > I find this diagram which details the kernel packet traveling > > > > > > > : > > > > > > > http://www.docum.org/docum.org/kptd/ > > > > > > > Is it up to date ? > > > > > > > I made some test and I put a DNAT rules in the PREROUTING > > > > > > > table of an interface and I attach it a ingress policy, the dst IP wasn't > > > > > > > changed. the DNAT it isn't yet make. > > > > > > > > > > > > > > I've another question (I'm not sure is it the good mailing > > > > > > > list), for the fragment packet, I see the ingress policy doesn't work > > > > > > > correctly and I'd like to know where in the kernel travel of the packet the > > > > > > > fragment are re-assemble ? At the NAT or in the routing ? > > > > > > > > > > > > > > Thanks, > > > > > > > Edouard. > > > > > > > > > > > > > > _______________________________________________ > > > > > > > LARTC mailing list > > > > > > > LARTC@mailman.ds9a.nl > > > > > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070703/6c244de2/attachment.html From daniel at mks.padinet.com Tue Jul 3 16:49:09 2007 From: daniel at mks.padinet.com (Daniel Harold L.) Date: Tue Jul 3 16:49:30 2007 Subject: [LARTC] Weird rate in HTB Message-ID: <200707032249.09935.daniel@mks.padinet.com> Dear all, First, sorry for my bad English .. To night one of my client is the victim of UDP attack from internet. It's tons of UDP packets from internet with destination to port 80. But when I look at class of that victim client, the actual class rate is over than configured rate class. Below is my screen capture. You can see at class 1:913 which have actual rate 105136bit while configured with ceil at 96000bit. Also it's parent class (1:91) which have actual rate 107680bit while configured with ceil at 96000bit. Is this normal? Or I have miss something in my script. Sometimes ago I found this situation but I forgot to capture the screen and the traffic is UDP too (maybe from torrent-like client) #tc -s -d class sh dev imq0 | grep -A4 1:91 class htb 1:91 parent 1:1 rate 17280bit ceil 96000bit burst 12Kb/8 mpu 0b overhead 0b cburst 12Kb/8 mpu 0b overhead 0b level 6 Sent 292925505 bytes 1158879 pkt (dropped 0, overlimits 0 requeues 0) rate 107680bit 324pps backlog 0b 0p requeues 0 lended: 25040 borrowed: 924897 giants: 0 tokens: -6121720 ctokens: -831243 -- class htb 1:911 parent 1:91 leaf 911: prio 0 quantum 1000 rate 1712bit ceil 96000bit burst 12Kb/8 mpu 0b overhead 0b cburst 12Kb/8 mpu 0b overhead 0b level 0 Sent 296118 bytes 4911 pkt (dropped 0, overlimits 0 requeues 0) rate 288bit 0pps backlog 0b 0p requeues 0 lended: 4911 borrowed: 0 giants: 0 tokens: 57158878 ctokens: 1019333 -- class htb 1:912 parent 1:91 leaf 912: prio 0 quantum 1000 rate 1712bit ceil 96000bit burst 12Kb/8 mpu 0b overhead 0b cburst 1647b/8 mpu 0b overhead 0b level 0 Sent 4319317 bytes 16191 pkt (dropped 0, overlimits 0 requeues 0) rate 2632bit 0pps backlog 0b 0p requeues 0 lended: 13098 borrowed: 3093 giants: 0 tokens: -6153580 ctokens: 124667 -- class htb 1:913 parent 1:91 leaf 913: prio 0 quantum 1000 rate 13816bit ceil 96000bit burst 12Kb/8 mpu 0b overhead 0b cburst 1647b/8 mpu 0b overhead 0b level 0 Sent 280566732 bytes 1137807 pkt (dropped 2924342, overlimits 0 requeues 0) rate 105136bit 312pps backlog 0b 30p requeues 0 lended: 190933 borrowed: 946844 giants: 0 tokens: -427412 ctokens: -138856 Regards, Daniel From kaber at trash.net Tue Jul 3 16:50:59 2007 From: kaber at trash.net (Patrick McHardy) Date: Tue Jul 3 16:51:45 2007 Subject: [LARTC] Weird rate in HTB In-Reply-To: <200707032249.09935.daniel@mks.padinet.com> References: <200707032249.09935.daniel@mks.padinet.com> Message-ID: <468A6253.3080602@trash.net> Daniel Harold L. wrote: > Dear all, > > First, sorry for my bad English .. > > To night one of my client is the victim of UDP attack from internet. It's tons > of UDP packets from internet with destination to port 80. But when I look at > class of that victim client, the actual class rate is over than configured > rate class. > > Below is my screen capture. You can see at class 1:913 which have actual rate > 105136bit while configured with ceil at 96000bit. Also it's parent class > (1:91) which have actual rate 107680bit while configured with ceil at > 96000bit. Might be an integer overflow in the current iproute version. Which version are you using? From daniel at mks.padinet.com Tue Jul 3 17:07:55 2007 From: daniel at mks.padinet.com (Daniel Harold L.) Date: Tue Jul 3 17:08:18 2007 Subject: [LARTC] Weird rate in HTB In-Reply-To: <468A6253.3080602@trash.net> References: <200707032249.09935.daniel@mks.padinet.com> <468A6253.3080602@trash.net> Message-ID: <200707032307.56127.daniel@mks.padinet.com> On Tuesday 03 July 2007 22:50, you wrote: > Daniel Harold L. wrote: > > Dear all, > > > > First, sorry for my bad English .. > > > > To night one of my client is the victim of UDP attack from internet. It's > > tons of UDP packets from internet with destination to port 80. But when I > > look at class of that victim client, the actual class rate is over than > > configured rate class. > > > > Below is my screen capture. You can see at class 1:913 which have actual > > rate 105136bit while configured with ceil at 96000bit. Also it's parent > > class (1:91) which have actual rate 107680bit while configured with ceil > > at 96000bit. > > Might be an integer overflow in the current iproute version. Which > version are you using? iproute2-2.6.16-060323 + esfq patch + wrr patch + srr patch Actually I'm using power pack package from Pawel Pawilcz http://snaj.ath.cx/26x/index.html for 2.6.17 kernel Regards Daniel From kaber at trash.net Tue Jul 3 17:36:23 2007 From: kaber at trash.net (Patrick McHardy) Date: Tue Jul 3 17:37:09 2007 Subject: [LARTC] Weird rate in HTB In-Reply-To: <200707032307.56127.daniel@mks.padinet.com> References: <200707032249.09935.daniel@mks.padinet.com> <468A6253.3080602@trash.net> <200707032307.56127.daniel@mks.padinet.com> Message-ID: <468A6CF7.1060408@trash.net> Daniel Harold L. wrote: > On Tuesday 03 July 2007 22:50, you wrote: > >>Might be an integer overflow in the current iproute version. Which >>version are you using? > > > iproute2-2.6.16-060323 + esfq patch + wrr patch + srr patch That version should be fine. From lists at andyfurniss.entadsl.com Wed Jul 4 02:51:54 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Wed Jul 4 02:51:46 2007 Subject: [LARTC] Kernel Packet Traveling Diagram In-Reply-To: <81c11a560707020311q7c1241f6n504d68b00db6cd3c@mail.gmail.com> References: <81c11a560707020311q7c1241f6n504d68b00db6cd3c@mail.gmail.com> Message-ID: <468AEF2A.8030202@andyfurniss.entadsl.com> Edouard Thuleau wrote: > Hi, > > I find this diagram which details the kernel packet traveling : > http://www.docum.org/docum.org/kptd/ > Is it up to date ? > I made some test and I put a DNAT rules in the PREROUTING table of an > interface and I attach it a ingress policy, the dst IP wasn't changed. the > DNAT it isn't yet make. The default policer changed in 2.6 to hook before netfilter. The kptd is correct for 2.4s. It's still possible to use the old policer on 2.6 aswell - IIRC you have to say N to packet action in your kernel config and it should then give you the choice to enable the old policer. IFB also hooks before netfilter - you can get IMQ to hook after PREROUTING NAT. > > I've another question (I'm not sure is it the good mailing list), for the > fragment packet, I see the ingress policy doesn't work correctly and I'd > like to know where in the kernel travel of the packet the fragment are > re-assemble ? At the NAT or in the routing ? Not really sure about this. Andy. From thuleau at gmail.com Wed Jul 4 11:32:21 2007 From: thuleau at gmail.com (Edouard Thuleau) Date: Wed Jul 4 11:32:43 2007 Subject: [LARTC] ATM qdisc Message-ID: <81c11a560707040232j755de71dh428bdbc350ce3b3c@mail.gmail.com> Hi, Someone know how to use the dqisc atm (sch_atm) ? I can't find some doc about it. Thanks, Edouard. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070704/df8b1b24/attachment.htm From lacos at inf.elte.hu Wed Jul 4 16:28:20 2007 From: lacos at inf.elte.hu (ERSEK Laszlo) Date: Wed Jul 4 16:28:26 2007 Subject: [LARTC] infinite amount of data for HTB burst Message-ID: <20070704140231.M39614@inf.elte.hu> Dear all, I'd like to ask for help with HTB configuration (after having read some manual pages, FAQs and forum posts). Short version: is there a way to specify infinite burst for HTB? (Infinite amount of data to use the "ceil" rate.) Long version: I have the following small topology: cable modem (uplink to ISB) | | WLAN router / \ / \ laptop desktop - ethernet: 100mbit/s (I suppose) - WiFI: 56mbit/s nominal, in reality very bad, many and grave stalls, cca. 500kbyte/s achievable on average. I consider this an "unkown" link capacity. - upstream bandwidth my ISP provides: 256kbit/s The desktop (GNU/Linux, debian sarge) is where the traffic shaping occurs. (Laptop-to-inet traffic is negligible, and neither the WLAN router nor the XP laptop has traffic shaping capabilities, AFAIK.) This is what I'd like to do: (1) desktop-to-inet traffic should be favored over desktop-to-laptop traffic (since the former has much lower throughput (256kbit/s vs. cca. 500kbyte/s) and higher latency) (2) on the desktop, a special restricted technical user (call it "p2p") runs p2p software. The desktop-to-inet traffic should be split into two parallel flows, "p2p" and "!p2p". The entire desktop-to-inet traffic should be constrained to 240kbit/s. If the two flows don't compete for this 240kbit/s (their combined upload stays below 240kbit/s), then each can use whatever it feels like (for example, "p2p" uses 220kbit/s, "!p2p" uses 10kbit/s). If they do compete, then "p2p" should be constrained to 140kbit/s, and "!p2p" should be constrained to 100kbit/s. For (1), I chose PRIO, for (2), I chose HTB. legend: [qdisc], (class) [1:0 PRIO, 2 bands] / \ / \ band 0, favored band 1, back seat / \ / \ (1:1 desktop-to-inet) (1:2 desktop-to-laptop) | | [10:0 HTB] [pfifo_fast] / \ / \ 100kbit/s 140kbit/s / \ / \ (10:1 !p2p) (10:2 p2p) | | [pfifo_fast] [pfifo_fast] ---- DEV=eth0 P2P=140 NP2P=100 P2P_UID=... LAPTOP=192.168.x.x tc qdisc del dev $DEV root iptables --table mangle --flush iptables --table mangle --delete-chain # Create [1:0 PRIO] # Default: packets go to (1:1 desktop-to-inet) tc qdisc add dev $DEV root handle 1:0 prio \ bands 2 priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 # Class (1:1 desktop-to-inet) and class (1:2 desktop-to-laptop) # get automatically defined by qdisc [1:0 PRIO]. # Direct desktop-to-laptop packets to (1:2 desktop-to-laptop) tc filter add dev $DEV parent 1:0 protocol ip \ u32 match ip dst $LAPTOP classid 1:2 # Create [10:0 HTB] # Default: packets go to (10:1 !p2p) tc qdisc add dev $DEV parent 1:1 handle 10:0 htb \ default 1 # Add HTB classes. tc class add dev $DEV parent 10:0 classid 10:1 \ htb rate ${NP2P}kbit ceil $((NP2P + P2P))kbit tc class add dev $DEV parent 10:0 classid 10:2 \ htb rate ${P2P}kbit ceil $((NP2P + P2P))kbit # Direct packets marked as p2p to (10:2 p2p) tc filter add dev $DEV parent 10:0 protocol ip \ handle 1 fw classid 10:2 # Mark p2p packets iptables --table mangle --policy OUTPUT ACCEPT iptables --table mangle --append OUTPUT --protocol ip \ --match owner --uid-owner $P2P_UID --jump MARK \ --set-mark 1 ---- (I write the above from memory, so there can be typos.) First, I'm not sure if the script above corresponds to the graph at all. (Perhaps ICMP is missing, too...) Second, I started a single TCP upload with the p2p user to check if borrowing works. It does not, as in the output of tc -s -d class show dev $DEV the "tokens" for class (10:2 p2p) becomes negative and so the actual rate stays 140kbit/s (instead of 240kbit/s). After reading the manual page again, I added the "burst 1mb" parameter to this class, and it worked until 1 megabyte was uploaded. However, I couldn't specify "burst 2047mb": the TCP upload went virtually dead, and I saw very ugly values in the output of tc -s -d class show dev $DEV (integer overflows, maybe?). I got the impression from http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm that I wouldn't need "burst" at all. However, without "burst", borrowing didn't work. With "burst", borrowing works, but only for a while. So, can anybody please tell me how to specify an infinite burst at ceil rate? Or do I have to look at something else, e.g. CBQ? (The WiFi link's capacity is practically indeterminate; isn't that a problem when configuring CBQ?) Since "burst" means the highest number of tokens available simultaneously in the bucket, it may not make much sense to wish for infinity. Thank you, lacos From lacos at inf.elte.hu Thu Jul 5 02:39:13 2007 From: lacos at inf.elte.hu (ERSEK Laszlo) Date: Thu Jul 5 02:39:22 2007 Subject: [LARTC] infinite amount of data for HTB burst In-Reply-To: <20070704140231.M39614@inf.elte.hu> References: <20070704140231.M39614@inf.elte.hu> Message-ID: <20070705003124.M98302@inf.elte.hu> (Sorry for following up on myself.) On Wed, 4 Jul 2007 16:28:20 +0200, ERSEK Laszlo wrote > > Short version: is there a way to specify infinite burst for HTB? > (Infinite amount of data to use the "ceil" rate.) > [...] > I got the impression from > > http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm > > that I wouldn't need "burst" at all. However, without "burst", > borrowing didn't work. I unfortunately overlooked the part "A root class, like other classes under an htb qdisc allows its children to borrow from each other, but one root class cannot borrow from another. [...] we have to create an extra class to serve as the root and put the classes that will carry the real data under that." In the end, the task was solvable with a single HTB qdisc (no PRIO needed). Sorry again for the noise. lacos From sauloaugustosilva at gmail.com Thu Jul 5 03:00:52 2007 From: sauloaugustosilva at gmail.com (Saulo Silva) Date: Thu Jul 5 03:01:00 2007 Subject: [LARTC] Load Balancing , MSN and SSL Message-ID: <3ddff6900707041800p415b68ag52d266e70a48ed64@mail.gmail.com> HI All , I am running a FC6 box with two internet links with load balance . Every thing is working fine expect the MSN connection that failed and reconnect every time and SSL connections . I would link to know if with the nona howto I could fix that . I have been tried with no success to redirect that connection only to one link but its look like do not work . Here my configuration : #!/bin/bash # # Script Baseado em http://lartc.org/howto/lartc.rpdb.multiple-links.html # # # IF0=eth1 function interface_interna() { VALOR_IP=0 while [ $VALOR_IP -lt 254 ] ; do if [ $VALOR_IP -ne 33 ] ; then P0_NET=192.168.${VALOR_IP}.0 IP0=192.168.${VALOR_IP}.1 ip route add $P0_NET dev $IF0 src $IP0 table T1 ip route add $P0_NET dev $IF0 src $IP0 table T2 fi VALOR_IP=$(expr $VALOR_IP + 1) done ip route add 192.168.33.0/24 via 10.1.2.1 dev eth1 src 10.1.2.2 ip route add 192.168.33.0/24 via 10.1.2.1 dev eth1 src 10.1.2.2table T1 ip route add 192.168.33.0/24 via 10.1.2.1 dev eth1 src 10.1.2.2table T2 } IP1=xxx.xxx.xxx.18 IF1=eth0 P1_NET=xxx.xxx.xxx.16/30 P1=xxx.xxx.xxx.17 IP2=192.168.254.250 IF2=eth2 P2_NET=192.168.254.248/29 P2=192.168.254.254 ip route add $P1_NET dev $IF1 src $IP1 table T1 ip route add default via $P1 table T1 ip route add $P2_NET dev $IF2 src $IP2 table T2 ip route add default via $P2 table T2 ip route add $P1_NET dev $IF1 src $IP1 ip route add $P2_NET dev $IF2 src $IP2 ip rule add from $IP1 table T1 ip rule add from $IP2 table T2 ip route add $P0_NET dev $IF0 table T1 ip route add $P1_NET dev $IF1 table T1 ip route add $P2_NET dev $IF2 table T1 ip route add 127.0.0.0/8 dev lo table T1 ip route add $P0_NET dev $IF0 table T2 ip route add $P1_NET dev $IF1 table T2 ip route add $P2_NET dev $IF2 table T2 ip route add 127.0.0.0/8 dev lo table T2 interface_interna ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \ nexthop via $P2 dev $IF2 weight 1 #ROTAS DE BACKUP ip route add default via $P2 dev $IF2 metric 1 table T1 ip route add default via $P1 dev $IF1 metric 1 table T2 #ROTAS DE SERVICOS ip rule add fwmark 2 table 21 prio 20 ip rule add fwmark 3 table 22 prio 20 ip route add default via $P1 dev $IF1 table 21 ip route add default via $P2 dev $IF2 table 22 ip route flush cache Here the iptables mangles rules : ############# MSN Services ##################### iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto msnmessenger -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -i eth1 -p udp -m layer7 --l7proto msnmessenger -j MARK --set-mark 2 ############### SSL Services ########### iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto ssl -j MARK --set-mark 2 I add the rules from DNS and FTP too . But it's not seems to work . Any help will be appreciated . Saulo Silva -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070704/9bae7b0e/attachment.html From salim.si at cipherium.com.tw Thu Jul 5 03:28:49 2007 From: salim.si at cipherium.com.tw (Salim S I) Date: Thu Jul 5 03:29:15 2007 Subject: [LARTC] Load Balancing , MSN and SSL In-Reply-To: <3ddff6900707041800p415b68ag52d266e70a48ed64@mail.gmail.com> Message-ID: <000701c7bea3$dada1320$b9021d0a@SalimSi> Refer to the archives. Use connmark. -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Saulo Silva Sent: Thursday, July 05, 2007 9:01 AM To: LARTC@mailman.ds9a.nl Subject: [LARTC] Load Balancing , MSN and SSL HI All , I am running a FC6 box with two internet links with load balance . Every thing is working fine expect the MSN connection that failed and reconnect every time and SSL connections . I would link to know if with the nona howto I could fix that . I have been tried with no success to redirect that connection only to one link but its look like do not work . Here my configuration : #!/bin/bash # # Script Baseado em http://lartc.org/howto/lartc.rpdb.multiple-links.html # # # IF0=eth1 function interface_interna() { VALOR_IP=0 while [ $VALOR_IP -lt 254 ] ; do if [ $VALOR_IP -ne 33 ] ; then P0_NET=192.168.${VALOR_IP}.0 IP0=192.168.${VALOR_IP}.1 ip route add $P0_NET dev $IF0 src $IP0 table T1 ip route add $P0_NET dev $IF0 src $IP0 table T2 fi VALOR_IP=$(expr $VALOR_IP + 1) done ip route add 192.168.33.0/24 via 10.1.2.1 dev eth1 src 10.1.2.2 ip route add 192.168.33.0/24 via 10.1.2.1 dev eth1 src 10.1.2.2 table T1 ip route add 192.168.33.0/24 via 10.1.2.1 dev eth1 src 10.1.2.2 table T2 } IP1=xxx.xxx.xxx.18 IF1=eth0 P1_NET=xxx.xxx.xxx.16/30 P1=xxx.xxx.xxx.17 IP2=192.168.254.250 IF2=eth2 P2_NET=192.168.254.248/29 P2=192.168.254.254 ip route add $P1_NET dev $IF1 src $IP1 table T1 ip route add default via $P1 table T1 ip route add $P2_NET dev $IF2 src $IP2 table T2 ip route add default via $P2 table T2 ip route add $P1_NET dev $IF1 src $IP1 ip route add $P2_NET dev $IF2 src $IP2 ip rule add from $IP1 table T1 ip rule add from $IP2 table T2 ip route add $P0_NET dev $IF0 table T1 ip route add $P1_NET dev $IF1 table T1 ip route add $P2_NET dev $IF2 table T1 ip route add 127.0.0.0/8 dev lo table T1 ip route add $P0_NET dev $IF0 table T2 ip route add $P1_NET dev $IF1 table T2 ip route add $P2_NET dev $IF2 table T2 ip route add 127.0.0.0/8 dev lo table T2 interface_interna ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \ nexthop via $P2 dev $IF2 weight 1 #ROTAS DE BACKUP ip route add default via $P2 dev $IF2 metric 1 table T1 ip route add default via $P1 dev $IF1 metric 1 table T2 #ROTAS DE SERVICOS ip rule add fwmark 2 table 21 prio 20 ip rule add fwmark 3 table 22 prio 20 ip route add default via $P1 dev $IF1 table 21 ip route add default via $P2 dev $IF2 table 22 ip route flush cache Here the iptables mangles rules : ############# MSN Services ##################### iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto msnmessenger -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -i eth1 -p udp -m layer7 --l7proto msnmessenger -j MARK --set-mark 2 ############### SSL Services ########### iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto ssl -j MARK --set-mark 2 I add the rules from DNS and FTP too . But it's not seems to work . Any help will be appreciated . Saulo Silva -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070705/cee9e5db/attachment-0001.htm From salim.si at cipherium.com.tw Thu Jul 5 06:08:36 2007 From: salim.si at cipherium.com.tw (Salim S I) Date: Thu Jul 5 06:09:06 2007 Subject: [LARTC] Load Balancing , MSN and SSL In-Reply-To: <3ddff6900707042058sa7270f2s4c32a216128a0e7b@mail.gmail.com> Message-ID: <001a01c7beba$2c9475f0$b9021d0a@SalimSi> http://mailman.ds9a.nl/pipermail/lartc/2007q2/020779.html http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html Two different approaches. -----Original Message----- From: Saulo Silva [mailto:sauloaugustosilva@gmail.com] Sent: Thursday, July 05, 2007 11:58 AM To: Salim S I Subject: Re: [LARTC] Load Balancing , MSN and SSL I already tried with that with no success . Could you explain that better ? 2007/7/4, Salim S I : Refer to the archives. Use connmark. -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto: lartc-bounces@mailman.ds9a.nl] On Behalf Of Saulo Silva Sent: Thursday, July 05, 2007 9:01 AM To: LARTC@mailman.ds9a.nl Subject: [LARTC] Load Balancing , MSN and SSL HI All , I am running a FC6 box with two internet links with load balance . Every thing is working fine expect the MSN connection that failed and reconnect every time and SSL connections . I would link to know if with the nona howto I could fix that . I have been tried with no success to redirect that connection only to one link but its look like do not work . Here my configuration : #!/bin/bash # # Script Baseado em http://lartc.org/howto/lartc.rpdb.multiple-links.html # # # IF0=eth1 function interface_interna() { VALOR_IP=0 while [ $VALOR_IP -lt 254 ] ; do if [ $VALOR_IP -ne 33 ] ; then P0_NET=192.168.${VALOR_IP}.0 IP0=192.168.${VALOR_IP}.1 ip route add $P0_NET dev $IF0 src $IP0 table T1 ip route add $P0_NET dev $IF0 src $IP0 table T2 fi VALOR_IP=$(expr $VALOR_IP + 1) done ip route add 192.168.33.0/24 via 10.1.2.1 dev eth1 src 10.1.2.2 ip route add 192.168.33.0/24 via 10.1.2.1 dev eth1 src 10.1.2.2 table T1 ip route add 192.168.33.0/24 via 10.1.2.1 dev eth1 src 10.1.2.2 table T2 } IP1=xxx.xxx.xxx.18 IF1=eth0 P1_NET=xxx.xxx.xxx.16/30 P1=xxx.xxx.xxx.17 IP2=192.168.254.250 IF2=eth2 P2_NET=192.168.254.248/29 P2=192.168.254.254 ip route add $P1_NET dev $IF1 src $IP1 table T1 ip route add default via $P1 table T1 ip route add $P2_NET dev $IF2 src $IP2 table T2 ip route add default via $P2 table T2 ip route add $P1_NET dev $IF1 src $IP1 ip route add $P2_NET dev $IF2 src $IP2 ip rule add from $IP1 table T1 ip rule add from $IP2 table T2 ip route add $P0_NET dev $IF0 table T1 ip route add $P1_NET dev $IF1 table T1 ip route add $P2_NET dev $IF2 table T1 ip route add 127.0.0.0/8 dev lo table T1 ip route add $P0_NET dev $IF0 table T2 ip route add $P1_NET dev $IF1 table T2 ip route add $P2_NET dev $IF2 table T2 ip route add 127.0.0.0/8 dev lo table T2 interface_interna ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \ nexthop via $P2 dev $IF2 weight 1 #ROTAS DE BACKUP ip route add default via $P2 dev $IF2 metric 1 table T1 ip route add default via $P1 dev $IF1 metric 1 table T2 #ROTAS DE SERVICOS ip rule add fwmark 2 table 21 prio 20 ip rule add fwmark 3 table 22 prio 20 ip route add default via $P1 dev $IF1 table 21 ip route add default via $P2 dev $IF2 table 22 ip route flush cache Here the iptables mangles rules : ############# MSN Services ##################### iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto msnmessenger -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -i eth1 -p udp -m layer7 --l7proto msnmessenger -j MARK --set-mark 2 ############### SSL Services ########### iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto ssl -j MARK --set-mark 2 I add the rules from DNS and FTP too . But it's not seems to work . Any help will be appreciated . Saulo Silva -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070705/b7347d4a/attachment.html From lists at andyfurniss.entadsl.com Thu Jul 5 13:21:41 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Thu Jul 5 13:21:43 2007 Subject: [LARTC] Weird rate in HTB In-Reply-To: <200707032249.09935.daniel@mks.padinet.com> References: <200707032249.09935.daniel@mks.padinet.com> Message-ID: <468CD445.30207@andyfurniss.entadsl.com> Daniel Harold L. wrote: > Dear all, > > First, sorry for my bad English .. > > To night one of my client is the victim of UDP attack from internet. It's tons > of UDP packets from internet with destination to port 80. But when I look at > class of that victim client, the actual class rate is over than configured > rate class. > > Below is my screen capture. You can see at class 1:913 which have actual rate > 105136bit while configured with ceil at 96000bit. Also it's parent class > (1:91) which have actual rate 107680bit while configured with ceil at > 96000bit. > > Is this normal? Or I have miss something in my script. Sometimes ago I found > this situation but I forgot to capture the screen and the traffic is UDP too > (maybe from torrent-like client) Yes it is normal! The rate tables that tc use normally have an 8 byte steps, so it is possible for up to a 56bit/s error per packet and you have 300 pps. There was a small patch submitted for tc to make the error fall on the underrate rather than overrate side, but I think it got lost in the middle of the long ATM overhead patch thread on netdev. Andy. From randywallacejr at gmail.com Thu Jul 5 13:52:17 2007 From: randywallacejr at gmail.com (Randy D. Wallace Jr.) Date: Thu Jul 5 13:52:29 2007 Subject: [LARTC] RE: Load Balancing , MSN and SSL In-Reply-To: <20070705100010.835394B7D5@outpost.ds9a.nl> References: <20070705100010.835394B7D5@outpost.ds9a.nl> Message-ID: <468CDB71.60505@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > HI All , > > I am running a FC6 box with two internet links with load balance . Every > thing is working fine expect the MSN connection that failed and > reconnect every time and SSL connections . I would link to know if with > the nona howto I could fix that . > > I have been tried with no success to redirect that connection only to > one link but its look like do not work . Here my configuration : > > #!/bin/bash > # > # Script Baseado em > http://lartc.org/howto/lartc.rpdb.multiple-links.html > # > # > # > > > IF0=eth1 > > function interface_interna() { > VALOR_IP=0 > while [ $VALOR_IP -lt 254 ] ; do > if [ $VALOR_IP -ne 33 ] ; then > P0_NET=192.168.${VALOR_IP}.0 > IP0=192.168.${VALOR_IP}.1 > ip route add $P0_NET dev $IF0 src $IP0 table T1 > ip route add $P0_NET dev $IF0 src $IP0 table T2 > fi > VALOR_IP=$(expr $VALOR_IP + 1) > done > ip route add 192.168.33.0/24 via 10.1.2.1 dev eth1 src 10.1.2.2 > ip route add 192.168.33.0/24 via 10.1.2.1 dev eth1 src 10.1.2.2 > table T1 > ip route add 192.168.33.0/24 via 10.1.2.1 dev eth1 src 10.1.2.2 > table T2 > } > > > > IP1=xxx.xxx.xxx.18 > IF1=eth0 > P1_NET=xxx.xxx.xxx.16/30 > P1=xxx.xxx.xxx.17 > > > IP2=192.168.254.250 > IF2=eth2 > P2_NET=192.168.254.248/29 > P2=192.168.254.254 > > > > ip route add $P1_NET dev $IF1 src $IP1 table T1 > ip route add default via $P1 table T1 > ip route add $P2_NET dev $IF2 src $IP2 table T2 > ip route add default via $P2 table T2 > > ip route add $P1_NET dev $IF1 src $IP1 > ip route add $P2_NET dev $IF2 src $IP2 > > ip rule add from $IP1 table T1 > ip rule add from $IP2 table T2 > > ip route add $P0_NET dev $IF0 table T1 > ip route add $P1_NET dev $IF1 table T1 > ip route add $P2_NET dev $IF2 table T1 > ip route add 127.0.0.0/8 dev lo table T1 > > ip route add $P0_NET dev $IF0 table T2 > ip route add $P1_NET dev $IF1 table T2 > ip route add $P2_NET dev $IF2 table T2 > ip route add 127.0.0.0/8 dev lo table T2 > > interface_interna > > ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \ > nexthop via $P2 dev $IF2 weight 1 > > #ROTAS DE BACKUP > > ip route add default via $P2 dev $IF2 metric 1 table T1 > ip route add default via $P1 dev $IF1 metric 1 table T2 > > #ROTAS DE SERVICOS > > ip rule add fwmark 2 table 21 prio 20 > ip rule add fwmark 3 table 22 prio 20 > > ip route add default via $P1 dev $IF1 table 21 > ip route add default via $P2 dev $IF2 table 22 > > ip route flush cache > > Here the iptables mangles rules : > > ############# MSN Services ##################### > iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto > msnmessenger -j MARK --set-mark 2 > iptables -t mangle -A PREROUTING -i eth1 -p udp -m layer7 --l7proto > msnmessenger -j MARK --set-mark 2 > ############### SSL Services ########### > iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto ssl > -j MARK --set-mark 2 My experience with the layer7 module has been sketchy. Have you checked to make sure that the layer7 module is catching msnmessenger traffic? It would be a good idea to try #iptables -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto msnmessenger -j LOG \ - --log-prefix 'MSN Messenger Packet: ' and consult /var/log/messages and make sure that layer7 is seeing it. If it's not, the packets for msn traffic will never get marked. a much better solution would be to mark based on destination port, and let connection tracking take care of the rest. for example: #DNS Traffic #iptables -A FORWARD -i eth1 -p tcp --dport 53 -j MARK --set-mark 2 #iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT #iptables -A FORWARD -p udp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT hope this helps! > > I add the rules from DNS and FTP too . > > But it's not seems to work . > > Any help will be appreciated . > > Saulo Silva -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGjNtxE5g7hmMpaLoRAuFwAJ9ePBgmBCQfToFaT24PZFvdIhH20ACgq52E pFsHeJgpBIGDG6oPHdhZpnc= =TgHZ -----END PGP SIGNATURE----- From lists at andyfurniss.entadsl.com Fri Jul 6 02:32:00 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Jul 6 02:31:37 2007 Subject: [LARTC] Traffic shaping on multiple interfaces In-Reply-To: <468CE02F.3090604@gmail.com> References: <467E4B74.5030809@gmail.com> <467F13E3.3010300@andyfurniss.entadsl.com> <468B41D1.4080505@gmail.com> <468BED45.6050801@andyfurniss.entadsl.com> <468CE02F.3090604@gmail.com> Message-ID: <468D8D80.3020400@andyfurniss.entadsl.com> Terry Baume wrote: > Hi Andy, > I had a chance to play around with ifb and the wondershaper script so > far, I've come to realise a few things, one being related to what you > previously mentioned about wondershaper being somewhat flawed in > particular setups. I've included my entire modified wondershaper script > at the end of this mail so that you can see my modifications. > > Your suggestion of redirecting traffic to ifb0 works wonderfully, keeps > latency down very low even with 2 concurrent FTP transfers - one over > ppp0 and one over eth1. > > I start to notice problems however when I have a large amount of traffic > in the lowest priority group (1:30) as well as traffic in (1:20) > competing for bandwidth - Is this what you meant by wondershaper being > slightly flawed? If I classify all traffic directed to 10.25.0.0/25 as > the lowest priority, by adding it to the 'NOPRIOHOSTDST' option, I > notice that if there is an FTP connection from 10.25.0.0/25, as well as > one coming over ppp0, latency rises very high again. I presume this is > related to the following few lines in the script: > > # bulk & default class 1:20 - gets slightly less traffic, > # and a lower priority: > > tc class add dev ifb0 parent 1:1 classid 1:20 htb rate > $[9*$UPLINK/10]kbit \ > burst 6k prio 2 > > tc class add dev ifb0 parent 1:1 classid 1:30 htb rate > $[8*$UPLINK/10]kbit \ > burst 6k prio 2 > > I'm not sure if I am reading into this correctly, but it seems to > suggest that combined, these 2 classes have more bandwidth than the link > itself? Yes you are right htb rates on leafs are not restricted by the parent rate. I guess when wondershaper was written htb was new and not in kernel. It may work with the cbq version - not that I have ever tested cbq. > > Do you have any suggestions as to how I can modify the script to work > around these problems - ie so that a stream of bulk (1:30) and a stream > of regular (1:20) traffic will not cause high latency? You need to make the rates of the child classes add up to the parents rate. To let them borrow spare bandwidth you can use the ceil parameter. If you still get high latency reduce UPLINK a bit more - dsl has quite high overheads. > tc class add dev ifb0 parent 1:1 classid 1:10 htb rate ${UPLINK}kbit \ > burst 6k prio 1 ... rate $[6*$UPLINK/10]kbit ceil ${UPLINK}kbit ... > > # bulk & default class 1:20 - gets slightly less traffic, > # and a lower priority: > > tc class add dev ifb0 parent 1:1 classid 1:20 htb rate > $[9*$UPLINK/10]kbit \ > burst 6k prio 2 ... rate $[2*$UPLINK/10]kbit ceil ${UPLINK}kbit ... > > tc class add dev ifb0 parent 1:1 classid 1:30 htb rate > $[8*$UPLINK/10]kbit \ > burst 6k prio 2 ... rate $[2*$UPLINK/10]kbit ceil ${UPLINK}kbit ... > ########## downlink ############# > # slow downloads down to somewhat less than the real speed to prevent > # queuing at our ISP. Tune to see how high you can set it. > # ISPs tend to have *huge* queues to make sure big downloads are fast > # > # attach ingress policer: > > tc qdisc add dev ifb0 handle ffff: ingress > > # filter *everything* to it (0.0.0.0/0), drop everything that's > # coming in too fast: > > tc filter add dev ifb0 parent ffff: protocol ip prio 50 u32 match ip src \ > 0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1 This won't work on ifb0. You could put it on eth1 and change the "protocol ip" to "protocol all" and change the match to "match u32 0 0" . In theory that may catch a few arp so I suppose you could add another rule to exempt them. tc filter add dev eth1 parent ffff: protocol arp prio 1 u32 match u32 0 0 flowid :2 I would also make the burst bigger since you have quite high ingress bandwidth. Andy. From lists at andyfurniss.entadsl.com Fri Jul 6 03:43:58 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Jul 6 03:43:36 2007 Subject: [LARTC] HTB and ATM patch In-Reply-To: <81c11a560706280233o14820c88t8a3aa2d88b65f848@mail.gmail.com> References: <81c11a560706280233o14820c88t8a3aa2d88b65f848@mail.gmail.com> Message-ID: <468D9E5E.7020404@andyfurniss.entadsl.com> Edouard Thuleau wrote: > Hi all, > > I patch my kernel (2.6.17) and my tc (iproute2-2.6.18-061002) utilitie for > an accurate packet scheduling on an ATM link. > I configure my HTB hierarchy on the upload of the link and try with > differents flows. > > It works correctly but in some of case I lose about 50% of my bandwith. That's what dsl/atm is like for some packet sizes, eg. an empty windows ack = 40 byte IP packet, but 2 ATM cells = 106 bytes on the wire. > I use the overhead (42) configuration for my link (PPPoE, VC/LLC) indicate > in the documentation. > My question is, how this hoverhead value is calculate ? http://ace-host.stuart.id.au/russell/files/tc/tc-atm/ > > I try to separate the streams with the lentgh of the packet in differents > classes and put a specific overhead for each one, but I don't know how > calculate it. Do you think it's a good solution ? You don't need a different overhead just 42 for all classes (assuming you are shaping on the ppp device - you can take 14 from the 42 if the ppp terminates elsewhere any you are shaping on eth) > > Is it necessary to put the atm, nohyst options and configure the overhead > > for the mother class ? > I would put overhead 42 atm nohyst after every rate - so yes. Andy. From lists at bogaurd.net Fri Jul 6 06:52:20 2007 From: lists at bogaurd.net (Terry Baume) Date: Fri Jul 6 06:52:29 2007 Subject: [LARTC] Traffic shaping on multiple interfaces In-Reply-To: <468D8D80.3020400@andyfurniss.entadsl.com> References: <467E4B74.5030809@gmail.com> <467F13E3.3010300@andyfurniss.entadsl.com> <468B41D1.4080505@gmail.com> <468BED45.6050801@andyfurniss.entadsl.com> <468CE02F.3090604@gmail.com> <468D8D80.3020400@andyfurniss.entadsl.com> Message-ID: <468DCA84.7030801@bogaurd.net> Andy Furniss wrote: > This won't work on ifb0. You could put it on eth1 and change the > "protocol ip" to "protocol all" and change the match to "match u32 0 > 0" . In theory that may catch a few arp so I suppose you could add > another rule to exempt them. > > tc filter add dev eth1 parent ffff: protocol arp prio 1 u32 match u32 > 0 0 flowid :2 > > I would also make the burst bigger since you have quite high ingress > bandwidth. > > Andy. Thanks for the suggestions Andy, I've put them all into place, and everything seems to be working nicely. I just had a question regarding the rule to catch the ARP's - I get this message when I add the rule: RTNETLINK answers: File exists I guess this because the parent qdisc for that interface has already been defined - does this mean that the rule won't work? Or is it just a debugging notice that can be safely ignored? I've also raised my burst to 50k. Implementing the downstream shaping techniques you suggested, I am seeing good results. I had a question regarding the ifb device - does it behave as a normal interface when doing masquerading etc? It seems that if I place destination IP's in the NOPRIOHOSTDST field, these get marked as low priority, and the same when I put source ports in NOPRIOPORTSRC. When I put source IP's in the NOPRIOHOSTSRC field, these do not seem to get marked as low priority - I tried with 192.168.0.1 as an example (an FTP server on the network). Could this be related to the fact that I'm using the IFB device? Thanks, Terry. From lists at andyfurniss.entadsl.com Sat Jul 7 22:18:02 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Sat Jul 7 22:18:07 2007 Subject: [LARTC] Traffic shaping on multiple interfaces In-Reply-To: <468DCA84.7030801@bogaurd.net> References: <467E4B74.5030809@gmail.com> <467F13E3.3010300@andyfurniss.entadsl.com> <468B41D1.4080505@gmail.com> <468BED45.6050801@andyfurniss.entadsl.com> <468CE02F.3090604@gmail.com> <468D8D80.3020400@andyfurniss.entadsl.com> <468DCA84.7030801@bogaurd.net> Message-ID: <468FF4FA.4030904@andyfurniss.entadsl.com> Terry Baume wrote: > Andy Furniss wrote: >> This won't work on ifb0. You could put it on eth1 and change the >> "protocol ip" to "protocol all" and change the match to "match u32 0 >> 0" . In theory that may catch a few arp so I suppose you could add >> another rule to exempt them. >> >> tc filter add dev eth1 parent ffff: protocol arp prio 1 u32 match u32 >> 0 0 flowid :2 >> >> I would also make the burst bigger since you have quite high ingress >> bandwidth. >> >> Andy. > Thanks for the suggestions Andy, I've put them all into place, and > everything seems to be working nicely. I just had a question regarding > the rule to catch the ARP's - I get this message when I add the rule: > > RTNETLINK answers: File exists > > I guess this because the parent qdisc for that interface has already > been defined - does this mean that the rule won't work? Or is it just a > debugging notice that can be safely ignored? You shouldn't get an error for that - as long as you change the download part of the script to something like - tc qdisc del dev eth1 ingress &>/dev/null tc qdisc add dev eth1 handle ffff: ingress tc filter add dev eth1 parent ffff: protocol arp prio 1 u32 match u32 0 0 flowid :2 tc filter add dev eth1 parent ffff: protocol all prio 50 u32 match u32 0 0 police rate ${DOWNLINK}kbit burst 50k drop flowid :1 > > I've also raised my burst to 50k. Implementing the downstream shaping > techniques you suggested, I am seeing good results. Good - I guess 50k is OK as it's a wan with wan latency and you are shaping ingress from a bitrate limited line, so the virtual buffer only fills slowly. If you really wanted to have more control than just policing the whole link, you could use another ifb and shape the traffic as you do on egress - it won't be quite the same, though, because you will be shaping from the wrong end of the bottleneck. FWIW if it were a lan then 50k @ 17mbit totally borks a single tcp connection so you'll get nowhere near the set rate. It's because the latencies are so low I guess - netem 10ms delay on and all is well again - or make the burst bigger. > > I had a question regarding the ifb device - does it behave as a normal > interface when doing masquerading etc? I don't think iptables will see it as a real device. > It seems that if I place > destination IP's in the NOPRIOHOSTDST field, these get marked as low > priority, and the same when I put source ports in NOPRIOPORTSRC. When I > put source IP's in the NOPRIOHOSTSRC field, these do not seem to get > marked as low priority - I tried with 192.168.0.1 as an example (an FTP > server on the network). Could this be related to the fact that I'm using > the IFB device? No it's because if you do SNAT/MASQUERADE the the addresses have already been changed - it would still happen if you shaped directly on ppp0. To workaround you need to use iptables rules to mark the traffic and then make tc filter rules to match the marks eg. iptables -t mangle -A POSTROUTING --src 192.168.0.1 -j MARK --set-mark 35 tc filter add dev ifb0 parent 1:0 prio 27 protocol ip handle 35 fw flowid 1:X depending on what other rules are used you'll need to change the prio to something unused. Andy. From nozo at ziu.info Sat Jul 7 22:52:04 2007 From: nozo at ziu.info (Michal Soltys) Date: Sat Jul 7 22:53:13 2007 Subject: [LARTC] tc u32's indev paramater Message-ID: <468FFCF4.2080900@ziu.info> After checking f_u32.c sources, there's one extra parameter parsed - indev, that is nowhere described - not even in commandline help or in excellent Russell's documentation. Does anyone know, what's the purpose of it ? From santoniu at msn.com Sun Jul 8 12:36:20 2007 From: santoniu at msn.com (Antoniu-George SAVU) Date: Sun Jul 8 12:36:29 2007 Subject: [LARTC] Troubles with tc/iptables - per TCP session tc Message-ID: Hello, I have read most of the relevant emails already posted to the LARTC mailingilist and I have not found a solution to my problem. What I am trying to do is: limit the HTTP output traffic to 30Mbps and also to limit each HTTP connection at 512Kbps, if the client downloads more than 1MB. I have managed to limit the total traffic but not the traffic of each HTTP connection. Here it is my setup: /sbin/tc qdisc add dev eth0 root handle 1:0 htb default 1/sbin/tc class add dev eth0 parent 1:0 classid 1:1 htb rate 100mbit/sbin/tc class add dev eth0 parent 1:1 classid 1:11 htb rate 512kbit ceil 512kbit/sbin/tc class add dev eth0 parent 1:1 classid 1:12 htb rate 30mbit ceil 30mbit /sbin/iptables --table mangle --append POSTROUTING --out-interface eth0 --protocol tcp --sport 80 -m connbytes --connbytes 1024000: --connbytes-dir reply --connbytes-mode bytes --jump CLASSIFY --set-class 1:11/sbin/iptables --table mangle --append POSTROUTING --out-interface eth0 --protocol tcp --sport 80 --jump CLASSIFY --set-class 1:12 I have tried, without success, to mark the matching packets with iptables and redirect a marked packet to class 1:11: /sbin/iptables --table mangle --append POSTROUTING --out-interface eth0 --protocol tcp --sport 80 -m connbytes --connbytes 1024000: --connbytes-dir reply --connbytes-mode bytes --jump MARK --set-mark 11 /sbin/tc filter add dev eth0 parent 0: prio 0 protocol ip handle 11 fw classid 11 Any clue or ideas ? What I am doing wrong ? Thank you, George _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070708/635e2bd5/attachment.htm From netsecuredata at gmail.com Sun Jul 8 20:04:45 2007 From: netsecuredata at gmail.com (Jorge Evangelista) Date: Sun Jul 8 20:04:59 2007 Subject: [LARTC] RE: Load Balancing , MSN and SSL In-Reply-To: <468CDB71.60505@gmail.com> References: <20070705100010.835394B7D5@outpost.ds9a.nl> <468CDB71.60505@gmail.com> Message-ID: Hi, I think you could mark packets based on ports 1863 and hosts messenger.hotmail.com , gateway.messenger.hotmail.com, webmessenger.msn.com On 7/5/07, Randy D. Wallace Jr. wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > HI All , > > > > I am running a FC6 box with two internet links with load balance . Every > > thing is working fine expect the MSN connection that failed and > > reconnect every time and SSL connections . I would link to know if with > > the nona howto I could fix that . > > > > I have been tried with no success to redirect that connection only to > > one link but its look like do not work . Here my configuration : > > > > #!/bin/bash > > # > > # Script Baseado em > > http://lartc.org/howto/lartc.rpdb.multiple-links.html > > # > > # > > # > > > > > > IF0=eth1 > > > > function interface_interna() { > > VALOR_IP=0 > > while [ $VALOR_IP -lt 254 ] ; do > > if [ $VALOR_IP -ne 33 ] ; then > > P0_NET=192.168.${VALOR_IP}.0 > > IP0=192.168.${VALOR_IP}.1 > > ip route add $P0_NET dev $IF0 src $IP0 table T1 > > ip route add $P0_NET dev $IF0 src $IP0 table T2 > > fi > > VALOR_IP=$(expr $VALOR_IP + 1) > > done > > ip route add 192.168.33.0/24 via 10.1.2.1 dev eth1 src 10.1.2.2 > > ip route add 192.168.33.0/24 via 10.1.2.1 dev eth1 src 10.1.2.2 > > table T1 > > ip route add 192.168.33.0/24 via 10.1.2.1 dev eth1 src 10.1.2.2 > > table T2 > > } > > > > > > > > IP1=xxx.xxx.xxx.18 > > IF1=eth0 > > P1_NET=xxx.xxx.xxx.16/30 > > P1=xxx.xxx.xxx.17 > > > > > > IP2=192.168.254.250 > > IF2=eth2 > > P2_NET=192.168.254.248/29 > > P2=192.168.254.254 > > > > > > > > ip route add $P1_NET dev $IF1 src $IP1 table T1 > > ip route add default via $P1 table T1 > > ip route add $P2_NET dev $IF2 src $IP2 table T2 > > ip route add default via $P2 table T2 > > > > ip route add $P1_NET dev $IF1 src $IP1 > > ip route add $P2_NET dev $IF2 src $IP2 > > > > ip rule add from $IP1 table T1 > > ip rule add from $IP2 table T2 > > > > ip route add $P0_NET dev $IF0 table T1 > > ip route add $P1_NET dev $IF1 table T1 > > ip route add $P2_NET dev $IF2 table T1 > > ip route add 127.0.0.0/8 dev lo table T1 > > > > ip route add $P0_NET dev $IF0 table T2 > > ip route add $P1_NET dev $IF1 table T2 > > ip route add $P2_NET dev $IF2 table T2 > > ip route add 127.0.0.0/8 dev lo table T2 > > > > interface_interna > > > > ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \ > > nexthop via $P2 dev $IF2 weight 1 > > > > #ROTAS DE BACKUP > > > > ip route add default via $P2 dev $IF2 metric 1 table T1 > > ip route add default via $P1 dev $IF1 metric 1 table T2 > > > > #ROTAS DE SERVICOS > > > > ip rule add fwmark 2 table 21 prio 20 > > ip rule add fwmark 3 table 22 prio 20 > > > > ip route add default via $P1 dev $IF1 table 21 > > ip route add default via $P2 dev $IF2 table 22 > > > > ip route flush cache > > > > Here the iptables mangles rules : > > > > ############# MSN Services ##################### > > iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto > > msnmessenger -j MARK --set-mark 2 > > iptables -t mangle -A PREROUTING -i eth1 -p udp -m layer7 --l7proto > > msnmessenger -j MARK --set-mark 2 > > ############### SSL Services ########### > > iptables -t mangle -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto ssl > > -j MARK --set-mark 2 > > My experience with the layer7 module has been sketchy. Have you checked to > make sure that the layer7 module is catching msnmessenger traffic? It would > be a good idea to try > > #iptables -A PREROUTING -i eth1 -p tcp -m layer7 --l7proto msnmessenger -j LOG \ > - --log-prefix 'MSN Messenger Packet: ' > > and consult /var/log/messages and make sure that layer7 is seeing it. > If it's not, the packets for msn traffic will never get marked. > > a much better solution would be to mark based on destination port, and let connection > tracking take care of the rest. for example: > > #DNS Traffic > #iptables -A FORWARD -i eth1 -p tcp --dport 53 -j MARK --set-mark 2 > #iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT > #iptables -A FORWARD -p udp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT > > hope this helps! > > > > > I add the rules from DNS and FTP too . > > > > But it's not seems to work . > > > > Any help will be appreciated . > > > > Saulo Silva > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFGjNtxE5g7hmMpaLoRAuFwAJ9ePBgmBCQfToFaT24PZFvdIhH20ACgq52E > pFsHeJgpBIGDG6oPHdhZpnc= > =TgHZ > -----END PGP SIGNATURE----- > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- "The network is the computer" From gtaylor at riverviewtech.net Mon Jul 9 08:26:55 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Mon Jul 9 08:27:18 2007 Subject: [LARTC] To broadcast or not to broadcast... Message-ID: <4691D52F.7080908@riverviewtech.net> I'm looking to refine / re-use my recently discussed "Redundant internet connections" (http://mailman.ds9a.nl/pipermail/lartc/2007q2/thread.html#21015) in such a way that I will not be sure of returning traffic, thus I must monitor the connection my self and not rely on inbound traffic to update the kernel counters. I'm considering using arping to ping the upstream gateway. I think this will work just fine. However arping has an option to always send broadcasts verses starting with broadcast packets and then falling back to unicast packets. My fear is that if I use arpings default method of broadcast and then unicast once a MAC is known, this will fail if the upstream router is doing something where the MAC address would change. So, my question / request for thoughts and / or opinions, is should I always send out broadcasts so that any and all stations on the subnet see the ARP, thus allowing the arping to function even if the MAC address of the default gateway is changed, say if the provider decides to do an upgrade and / or maintenance? Grant. . . . From gtaylor at riverviewtech.net Mon Jul 9 08:29:39 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Mon Jul 9 08:29:51 2007 Subject: [LARTC] The netiquette of monitoring... Message-ID: <4691D5D3.7000509@riverviewtech.net> What is the proper netiquette of monitoring a router? How often is often enough verses too often? How large should the monitoring probes be? Is there an aggregate speed (bps) or amount (pps) or both (bps and pps) that should not be exceeded? Grant. . . . From ghartung at photobucket.com Mon Jul 9 17:06:29 2007 From: ghartung at photobucket.com (Greg Hartung) Date: Mon Jul 9 17:07:04 2007 Subject: [LARTC] GRE tunnel - workaround found, possible bug in the kernel? In-Reply-To: Message-ID: The problem appears to be a bug in the kernel. One thing I'd forgotten to mention was that I regularly use VLAN interfaces on all of my machines. The public exit interface on the CentOS boxes was a VLAN tagged interface (eth0.2). But when I did later tests on the Fedora boxes, I just did a test on their native interfaces, which worked. At first I thought perhaps I was running into an MTU problem, but then I realized I was only sending small ICMP packets to test. And tcpdump isn't seeing any packets exit so I *think* Linux is choking on the double tagging. If I exchange the addresses, moving the public address to the untagged interface (eth0) and the private address to the tagged interface (eth0.2 for example), GRE works fine since the default route is using the publicly addressed interface and is much happier when it's untagged. Is this a bug or are 802.1q and GRE tagging just inherently incompatible? Greg From trapni at gentoo.org Mon Jul 9 20:07:49 2007 From: trapni at gentoo.org (Christian Parpart) Date: Mon Jul 9 20:08:06 2007 Subject: [LARTC] custom routing (two gateways) Message-ID: <200707092007.51792.trapni@gentoo.org> Hi all, i'm having a somewhat stupid problem I can't get rid of. we've a server that accepts incoming world connections from a load balancer (10.10.10.4) to port 80, and we still want to serve incoming ssh/http from the firewall (10.10.10.1) routed to this host (10.10.10.90) and their reply packets of cause shall be send out through the firewall. unfortunately, both hosts (the load balancer (LB) and the firewall(FW)) are on the same subnet (10.10.10.0/24) and though on the same interface (eth0), but I need to find a solution. So, packets send from the LB shall get their answer through the LB as nexthop of couse, as well as incoming packets from the FW shall have response packets send out to the FW as nexthop, too. But how to realise this? server: 10.10.10.90 (this is the problem host) firewall(FW): 10.10.10.1 (we receive (mostly) ssh/https conns from it) loadbalancer(LB): 10.10.10.4 (we receive http conns from it) FW and LB are accepting/forwarding and routing connections from the world to our server. server ~ # ip route list 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.90 10.10.10.0/24 dev eth0 proto kernel scope link src 10.10.10.90 127.0.0.0/8 dev lo scope link default via 10.10.10.1 dev eth0 You see, default traffic is routed through the firewall as the default gateway... but now, we want to have outgoing traffic caused from incoming packets from the load balancer to be routed back through the loadbalancer itself. I tried here several approaches, like adding custom routing tables, and modifying the tables (including main) either I got no answers routed to the FW or no traffic got routed to the LB. Can you please give me a hint on how to find the right way? Thanks in advance, Christian Parpart. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070709/df7a6d9c/attachment.pgp From gtaylor at riverviewtech.net Mon Jul 9 21:01:26 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Mon Jul 9 20:59:16 2007 Subject: [LARTC] custom routing (two gateways) In-Reply-To: <200707092007.51792.trapni@gentoo.org> References: <200707092007.51792.trapni@gentoo.org> Message-ID: <46928606.5060301@riverviewtech.net> On 07/09/07 13:07, Christian Parpart wrote: > I tried here several approaches, like adding custom routing tables, > and modifying the tables (including main) either I got no answers > routed to the FW or no traffic got routed to the LB. I think you were on the right path. I would set up a custom routing table for traffic associated with the load balancer to use. This load balancer routing table would use the load balancer as the default gateway. You would then use ip rule(s) to determine which traffic would deviate from the normal default routing tables and use the load balancer routing table. This could probably be done based on source port on the web server, or based on connection / packet marks in IPTables. However you do it, you will probably need an additional routing table. Keep going the direction you were, or perhaps post some of what you did try and let us take a look at it to see if you were close. Grant. . . . From donvodka at gmail.com Mon Jul 9 21:14:00 2007 From: donvodka at gmail.com (Edgar) Date: Mon Jul 9 21:17:00 2007 Subject: [LARTC] Help with traffic control (HTB ESFQ RED) Message-ID: <469288F8.7060409@gmail.com> Hello, there's a problem I've had for several months now, and I've never been able to find an answer to it. I'll try to explain as quick as possible: I have a server that controlls my home network, it provides internet to them also (NAT) and I would like to provide QoS by shaping traffic. I have a p2p server here (running mldonkey), since only that machine is serving p2p and anyone can connect to it to download linux distros ( :) ) my attemp here was to limit bandwidth for that machine. I've partially done this, I've written some HTB rules and I've nested ESFQ leafs within htb classes. At first it seems like it works, but then two problems arise: 1) Web latency (partially solved by increasing burst size, but still happens) and 2) download seems affected a lot in the p2p server. I believe HTB is doing it's work, but the one that is failing to do so correctly is ESFQ, since I see upload limitted to the rate I specify. I'm using ESFQ since it can control traffic by ip, instead of doing it by flows (like classic sfq). I tried using RED too, but I haven't been able to find much documentation for it, so I guess I might be doing RED stuff wrong (I'll include my RED rule too, in case anyone can help with it). So I'll post the script I'm using to shape traffic, hope you ppl can help me out. #!/bin/sh ### Upload Link ### DEV=eth0 ### Modify $DEV's queue and MTU ### ip link set dev $DEV qlen 50 ip link set dev $DEV mtu 1500 ### iptables mangle table cleanup ### iptables -t mangle -F iptables -t mangle -X ## ROOT QDISC cleanup in $DEV tc qdisc del dev $DEV root 2> /dev/null > /dev/null tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null #tc qdisc del dev $HDEV root 2> /dev/null > /dev/null P2P_IP=192.168.0.100 SSH_PORT=9000 ### CLASSES ### SSH=1:10 P2P=1:20 DEF=1:30 HTTP=1:40 iptables -t mangle -A POSTROUTING -s $P2P_IP -o $DEV -j CLASSIFY --set-class $P2P iptables -t mangle -A OUTPUT -o $DEV -p tcp --sport $SSH_PORT -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -o $DEV -s ! $P2P_IP -p tcp -m length --length :64 -j MARK --set-mark 1 iptables -t mangle -A OUTPUT -o $DEV -m mark --mark 1 -j CLASSIFY --set-class $SSH iptables -t mangle -A OUTPUT -o $DEV -m mark --mark 1 -j TOS --set-tos Minimize-Delay iptables -t mangle -A POSTROUTING -o $DEV -s ! $P2P_IP -p tcp -m multiport --destination-ports 80,445,7777,7778,8080 -j MARK --set-mark 2 iptables -t mangle -A POSTROUTING -o $DEV -m mark --mark 2 -j CLASSIFY --set-class $HTTP iptables -t mangle -A POSTROUTING -o $DEV -m mark --mark 2 -j TOS --set-tos Maximize-Throughput MAX_RATE=30kbps P2P_UP=10kbps ## HTB CLASSES ## tc qdisc add dev $DEV root handle 1: htb default 30 tc class add dev $DEV parent 1: classid 1:1 htb rate $MAX_RATE burst 15k tc class add dev $DEV parent 1:1 classid $P2P htb rate 3kbps ceil $P2P_UP burst 0 prio 2 quantum 1600 tc class add dev $DEV parent 1:1 classid $SSH htb rate 5kbps ceil $MAX_RATE burst 0 prio 0 quantum 1600 tc class add dev $DEV parent 1:1 classid $HTTP htb rate 10kbps ceil $MAX_RATE burst 15k prio 0 quantum 1600 tc class add dev $DEV parent 1:1 classid $DEF htb rate 5kbps ceil $MAX_RATE burst 0 prio 1 quantum 1600 ### ESFQ LEAFS ### tc qdisc add dev $DEV parent $SSH handle 10: esfq perturb 10 hash ctorigdst tc qdisc add dev $DEV parent $DEF handle 30: esfq perturb 10 hash classic tc qdisc add dev $DEV parent $P2P handle 20: esfq perturb 10 hash ctorigdst depth 256 tc qdisc add dev $DEV parent $HTTP handle 40: esfq perturb 10 hash classic ## RED rule used instead of ESFQ one for $P2P class ## #tc qdisc add dev $DEV parent $P2P handle 20: red min 1600 max 6400 burst 5 limit 6k avpkt 1000 From trapni at gentoo.org Tue Jul 10 16:14:26 2007 From: trapni at gentoo.org (Christian Parpart) Date: Tue Jul 10 16:14:58 2007 Subject: [LARTC] custom routing (two gateways) In-Reply-To: <46928606.5060301@riverviewtech.net> References: <200707092007.51792.trapni@gentoo.org> <46928606.5060301@riverviewtech.net> Message-ID: <200707101614.26556.trapni@gentoo.org> On Monday 09 July 2007 21:01:26 Grant Taylor wrote: > On 07/09/07 13:07, Christian Parpart wrote: > > I tried here several approaches, like adding custom routing tables, > > and modifying the tables (including main) either I got no answers > > routed to the FW or no traffic got routed to the LB. > > I think you were on the right path. > > I would set up a custom routing table for traffic associated with the > load balancer to use. This load balancer routing table would use the > load balancer as the default gateway. > > You would then use ip rule(s) to determine which traffic would deviate > from the normal default routing tables and use the load balancer routing > table. This could probably be done based on source port on the web > server, or based on connection / packet marks in IPTables. However you > do it, you will probably need an additional routing table. > > Keep going the direction you were, or perhaps post some of what you did > try and let us take a look at it to see if you were close. I finally found a way, and your hint (select by server port number) finally helped me to get rid of it :) The following is the script to be executed at bootup to setup the additional routing table. 1 #! /bin/bash 2 # sets up additional routing table for load balancer traffic on a node 3 4 # -------------------------------------------------------------------------------- 5 LB_IP=10.10.10.4 # load balancer IP 6 LB_IF=eth0 # ethernet interface the load balancer is talking from/to 7 8 rt_table_name=loadbalancer # LB routing table name 9 rt_table_num=200 # LB routing table ID 10 11 fwmark=1 # FW mark to use for LB traffic 12 13 service_port=8000 # HTTP port for lighttpd on local mashine that 14 # serves for the load balancer 15 16 # -------------------------------------------------------------------------------- 17 18 # just ensure that we have a routing table called loadbalancer 19 if ! grep -q ${rt_table_name} /etc/iproute2/rt_tables; then 20 echo "${rt_table_num} ${rt_table_name}" >> /etc/iproute2/rt_tables 21 fi 22 23 # add a default route for communication from LB<->this_host 24 ip route flush table ${rt_table_name} 25 ip route add default via ${LB_IP} table ${rt_table_name} dev ${LB_IF} 26 27 # add a selector rule for which packets we want to use the LB routing table 28 ip rule add fwmark ${fwmark} table ${rt_table_name} 29 30 # finally lets mark all packets that shall be send out to the LB 31 iptables -t mangle -A OUTPUT -p tcp --sport ${service_port} -j MARK --set-mark ${fwmark} 32 # --(doesn't work? why?)-- iptables -t mangle -A INPUT -p tcp --dport ${service_port} -j CONNMARK --set-mark ${fwmark} However, you might see, that I first tried to fwmark all packets by connection matching, using CONNMARK. so that I only need to select all incoming traffic that came from the load balancer as the previous hop and with our service port 8000, to let mark iptables itself all further connection related packets automatically. but this didn't work out, unfortunately, and I am using the OUTPUT table to match the packets. What is the better approach anyway? Thanks for your help, Christian Parpart. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070710/af73ae60/attachment.pgp From marco.escobar at gmail.com Wed Jul 11 00:39:29 2007 From: marco.escobar at gmail.com (Marco Escobar) Date: Wed Jul 11 00:39:34 2007 Subject: [LARTC] Question 2 Providers Message-ID: <54aa68460707101539u3352df30s8ab9f87957362297@mail.gmail.com> Hi Masters! Soy nuevo en esto y por favor necesito su ayuda.... Tengo 2 enlaces de internet, en un router linux, necesito saber como se puede hacer que si se cae un enlace, automaticamente con ip route configure el Gateway y la ip del otro enlace para que los usuarios salgan a internet. En si es hacer una contingencia de los dos proveedores cosa que si cae un enlace levante el otro y que despues cuando suba el enlace caido vuelva a utilizarlo.. como lo debo hacer? Google Traductor I am new in this and please I need its aid?. I have 2 I connect of Internet, in router linux, need to know like is possible to be done that if a connection falls, automatically with IP route forms the Gateway and the IP of the other connection so that the users leave to Internet. In if it is to both make a contingency of suppliers thing that if a connection falls it raises the other and that later when it raises the caido connection returns to use it. as I must do it? MUCHAS GRACIAS MARCO -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070710/0d749ed5/attachment.html From netsecuredata at gmail.com Wed Jul 11 01:05:03 2007 From: netsecuredata at gmail.com (Jorge Evangelista) Date: Wed Jul 11 01:05:11 2007 Subject: [LARTC] Question 2 Providers In-Reply-To: <54aa68460707101539u3352df30s8ab9f87957362297@mail.gmail.com> References: <54aa68460707101539u3352df30s8ab9f87957362297@mail.gmail.com> Message-ID: Hi Marco, you could configure a script with cron and ping and monitoring default gateway, if the response is no you have to change default gateway in box linux to other default gateway. ip route replace default via OTHER_IP_GATEWAY Also, you can use quagga if you enable dynamic protocols at Linux. On 7/10/07, Marco Escobar wrote: > Hi Masters! > > Soy nuevo en esto y por favor necesito su ayuda.... > > Tengo 2 enlaces de internet, en un router linux, necesito saber como se > puede hacer que si se cae un enlace, automaticamente con ip route configure > el Gateway y la ip del otro enlace para que los usuarios salgan a internet. > En si es hacer una contingencia de los dos proveedores cosa que si cae un > enlace levante el otro y que despues cuando suba el enlace caido vuelva a > utilizarlo.. > > como lo debo hacer? > > Google Traductor > > I am new in this and please I need its aid?. I have 2 I connect of Internet, > in router linux, need to know like is possible to be done that if a > connection falls, automatically with IP route forms the Gateway and the IP > of the other connection so that the users leave to Internet. In if it is to > both make a contingency of suppliers thing that if a connection falls it > raises the other and that later when it raises the caido connection returns > to use it. as I must do it? > > MUCHAS GRACIAS > > MARCO > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > -- "The network is the computer" From shemminger at linux-foundation.org Wed Jul 11 04:01:03 2007 From: shemminger at linux-foundation.org (Stephen Hemminger) Date: Wed Jul 11 04:01:23 2007 Subject: [LARTC] [ANNOUNCE] iproute2 2.6.22-070710 Message-ID: <20070710190103.09ffa0e8@freepuppy.rosehill.hemminger.net> This is an update to iproute2 utilities including bug fixes and features related to 2.6.22 kernel. This package tries to be source compatible across releases. The same source should build on older systems, but obviously the newer kernel features won't be available. It can be downloaded from: http://developer.osdl.org/dev/iproute2/download/iproute2-2.6.22-070710.tar.gz Repository: git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git For more info on iproute2 see: http://linux-net.osdl.org/index.php/Iproute2 Changelog David Lamparter (1): iproute2: Format IPv6 tunnels endpoints nicely. Mike Frysinger (1): ip/routef lifesaver Patrick McHardy (1): Fwd: Re: more iproute2 issues (not critical) Pavel Roskin (1): ip: add support for displaying link types 802 and 803 Stephen Hemminger (11): Revert "Increase internal clock resolution to nsec" Add xt_tcpudp.h incorrect initialization headers update to 2.6.22 fix last change fix build warnings netem: static Add TC_LIB_DIR environment variable. ss: fix issues with signed inodes Thomas Graf (2): iproute2: support for goto/nop action and detached flag iproute2: Support IFF_LOWER_UP and IFF_DORMANT Yasuyuki KOZAKAI (1): Fix symbolic link to tc-bfifo.8 jamal (2): SAD info SPD info -- Stephen Hemminger From shemminger at linux-foundation.org Thu Jul 12 06:10:09 2007 From: shemminger at linux-foundation.org (Stephen Hemminger) Date: Thu Jul 12 06:10:55 2007 Subject: [LARTC] Re: iproute2 2.6.22-070710 , mp_ematch.y:11: unrecognized: %error-verbose , ... In-Reply-To: References: <20070710190103.09ffa0e8@freepuppy.rosehill.hemminger.net> Message-ID: <20070711211009.088c814e@freepuppy.rosehill.hemminger.net> On Wed, 11 Jul 2007 20:38:43 -0700 (PDT) "Mr. James W. Laferriere" wrote: > Hello Stephen (& All) , Maybe next build of the tarball one could tar > up the base directory name as well . ie: iproute2-2.6.22-070710/ . > The error below while being (quite probably) manually correctable isn't > something I'd expect to see in a release . > Twyl , JimL > > ps: I am not subscribed to netdev (I am quite sure) . > > $ ./configure > TC schedulers > ATM no > > $ make > make[1]: Entering directory `/home/archive/iproute2-2_6_22-070710/lib' > ...snip... > gcc -D_GNU_SOURCE -O2 -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -DCONFIG_GACT -DCONFIG_GACT_PROB -c -o m_ematch.o m_ematch.c > bison -d -t -v -o emp_ematch.yacc.c emp_ematch.y > emp_ematch.y:11: unrecognized: %error-verbose > emp_ematch.y:11: Skipping to next % > make[1]: *** [emp_ematch.yacc.c] Error 1 > make[1]: Leaving directory `/home/archive/iproute2-2_6_22-070710/tc' > make: *** [all] Error 2 > jiml@filesrv1:/home/archive Which version of bison. There have been issues where bison / flex don't always stay source compatible across releases. From dale at czexan.net Thu Jul 12 21:51:14 2007 From: dale at czexan.net (dale) Date: Thu Jul 12 21:51:23 2007 Subject: [LARTC] voip quality/bandwidth/latency techniques Message-ID: <46968632.30801@czexan.net> I have voip quality issues I would like to minimize. I have a ~= 3M/384k (Comcast) cable modem and a CentOS based Linux router (SME 7, 2.6.9 kernel) with 5 NAT'd devices (3 PCs "DHCP", 2 Vonage adapters "static 10.10.2.10-11"). The quality problems are audio cutting out and popping. I tried the following (see below) based on a Cookbook example, but I still have audio popping. I have noticed popping corresponding with web browsing, etc. Any suggestions that may improve voip quality? Also, are there any network metric capture/graphing tools that are helpful to analyze these type of issues. I'm thinking of a graph that shows various network metrics. I could watch the graph while using the phone and correlate graph spikes with audio pops. Thanks in advance for your help. Dale tc qdisc del root dev eth1 tc qdisc add dev eth1 root handle 1: htb default 12 tc class add dev eth1 parent 1: classid 1:1 htb rate 300kbit ceil 300kbit tc class add dev eth1 parent 1:1 classid 1:10 htb rate 200kbit ceil 300kbit prio 0 tc class add dev eth1 parent 1:1 classid 1:11 htb rate 50kbit ceil 300kbit prio 1 tc class add dev eth1 parent 1:1 classid 1:12 htb rate 30kbit ceil 300kbit prio 2 tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle 1 fw classid 1:10 tc filter add dev eth1 parent 1:0 protocol ip prio 2 handle 2 fw classid 1:11 tc filter add dev eth1 parent 1:0 protocol ip prio 3 handle 3 fw classid 1:12 iptables -t mangle -A PREROUTING --src 10.10.2.10 -j MARK --set-mark 0x1 iptables -t mangle -A PREROUTING --src 10.10.2.10 -j RETURN iptables -t mangle -A PREROUTING --src 10.10.2.11 -j MARK --set-mark 0x1 iptables -t mangle -A PREROUTING --src 10.10.2.11 -j RETURN iptables -t mangle -A PREROUTING -j MARK --set-mark 0x3 From elie.roux at enst-bretagne.fr Fri Jul 13 10:39:04 2007 From: elie.roux at enst-bretagne.fr (elie.roux@enst-bretagne.fr) Date: Fri Jul 13 10:39:56 2007 Subject: [LARTC] bandwith limiting and prio classes Message-ID: <20070713103904.tq0eyz8tss8kw088@webmail.enst-bretagne.fr> Hello, I'd like to build a 4 class prio system based on mark (until now no problem), but with a limited bandwidth. I have configured my eth* to be 10mbit full duplex, and I'd like to limit the bandwidth to 1mbit. I managed to do it with a policy filter matching all the traffic, but I can redirect it into only one class, so all my prio classes are useless. I also tried to limit the bandwidth with a cbq, but I must have missed something because whatever arguments I passed to it, it didn't limit the bandwith. How else can I do ? Thank you in advance, -- Elie Roux From elie.roux at enst-bretagne.fr Fri Jul 13 14:58:36 2007 From: elie.roux at enst-bretagne.fr (elie.roux@enst-bretagne.fr) Date: Fri Jul 13 14:58:57 2007 Subject: [LARTC] bandwith limiting and prio classes In-Reply-To: <000301c7c52b$a9b4ea20$b9021d0a@SalimSi> References: <000301c7c52b$a9b4ea20$b9021d0a@SalimSi> Message-ID: <20070713145836.jl46um804goccg8g@webmail.enst-bretagne.fr> Salim S I a ?crit : > Use an HTB/CBQ class at the top with 1mbit limit. (HTB is easier). > Direct all traffic to this class. You do not need to use mark here. > Fit your four PRIO classes under the HTB class, if you want, and filter > traffic based on marks. Ok, I tried it (with a tbf), now my bandwidth is well limitated, but my filters doesn't seem to work, all the packets go in 400: . Here is my script : tc qdisc add dev eth2 root handle 1:0 tbf rate 1mbit buffer 1600 limit 10000 tc qdisc add dev eth2 parent 1:0 handle 10: prio bands 4 priomap 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 tc qdisc add dev eth2 parent 10:1 handle 100: sfq tc qdisc add dev eth2 parent 10:2 handle 200: sfq tc qdisc add dev eth2 parent 10:3 handle 300: sfq tc qdisc add dev eth2 parent 10:4 handle 400: sfq tc filter add dev eth2 parent 10: prio 1 protocol ip handle 0x1 fw flowid 100: tc filter add dev eth2 parent 10: prio 2 protocol ip handle 0x2 fw flowid 200: tc filter add dev eth2 parent 10: prio 3 protocol ip handle 0x3 fw flowid 300: I've tried to replace parent 10: by parent 1:, but it makes an error (very explicit, like all the tc errors). Thank you in advance, -- Elie From elie.roux at enst-bretagne.fr Fri Jul 13 16:14:13 2007 From: elie.roux at enst-bretagne.fr (elie.roux@enst-bretagne.fr) Date: Fri Jul 13 16:14:23 2007 Subject: [LARTC] bandwith limiting and prio classes In-Reply-To: <20070713145836.jl46um804goccg8g@webmail.enst-bretagne.fr> References: <000301c7c52b$a9b4ea20$b9021d0a@SalimSi> <20070713145836.jl46um804goccg8g@webmail.enst-bretagne.fr> Message-ID: <20070713161413.51b2wvkdv4sgsscs@webmail.enst-bretagne.fr> > I've tried to replace parent 10: by parent 1:, but it makes an error > (very explicit, like all the tc errors). Sorry, it now works, I had to replace flowid 100: by flowid 10:1. Thank you, -- Elie From orrie at seznam.cz Fri Jul 13 19:09:28 2007 From: orrie at seznam.cz (Ales Klok) Date: Fri Jul 13 19:10:10 2007 Subject: [LARTC] voip quality/bandwidth/latency techniques In-Reply-To: <46968632.30801@czexan.net> References: <46968632.30801@czexan.net> Message-ID: <4697B1C8.3010200@seznam.cz> dale wrote: > I have voip quality issues I would like to minimize. I have a ~= > 3M/384k (Comcast) cable modem and a CentOS based Linux router (SME 7, > 2.6.9 kernel) with 5 NAT'd devices (3 PCs "DHCP", 2 Vonage adapters > "static 10.10.2.10-11"). The quality problems are audio cutting out > and popping. I tried the following (see below) based on a Cookbook > example, but I still have audio popping. I have noticed popping > corresponding with web browsing, etc. Any suggestions that may > improve voip quality? Also, are there any network metric > capture/graphing tools that are helpful to analyze these type of > issues. I'm thinking of a graph that shows various network metrics. > I could watch the graph while using the phone and correlate graph > spikes with audio pops. Thanks in advance for your help. > > Dale Hi Dale, you have to guarantee both delay (latency) and bandwidth for clean VoIP calls. With HTB you can't do that (although it's still better than nothing). You should use HFSC scheduler. If you have working HTB script than changing it to HFSC is quite simple. Good start is here http://linux-ip.net/articles/hfsc.en/ also there are plenty of exapmles using HFSC for VoIP on the web. Note that you have to guarantee latency and bandwidth on both incoming and outgoing direction (i can see only outgoing in your example). There are other things to tweak such as MTU, VoIP chunk size and others, but start with HFSC shaping. /ak From lists at andyfurniss.entadsl.com Tue Jul 17 03:24:39 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Tue Jul 17 03:24:48 2007 Subject: [LARTC] voip quality/bandwidth/latency techniques In-Reply-To: <46968632.30801@czexan.net> References: <46968632.30801@czexan.net> Message-ID: <469C1A57.1050405@andyfurniss.entadsl.com> dale wrote: > I have voip quality issues I would like to minimize. I have a ~= > 3M/384k (Comcast) cable modem and a CentOS based Linux router (SME 7, > 2.6.9 kernel) with 5 NAT'd devices (3 PCs "DHCP", 2 Vonage adapters > "static 10.10.2.10-11"). The quality problems are audio cutting out and > popping. I tried the following (see below) based on a Cookbook example, > but I still have audio popping. I have noticed popping corresponding > with web browsing, etc. Maybe you need to consider shaping/policing ingress traffic aswell. Any suggestions that may improve voip quality? > Also, are there any network metric capture/graphing tools that are > helpful to analyze these type of issues. I'm thinking of a graph that > shows various network metrics. I could watch the graph while using the > phone and correlate graph spikes with audio pops. Thanks in advance for > your help. I don't use any graphing tools, but I would mark icmp as 1 aswell and have ping running while testing. > > Dale > > > > tc qdisc del root dev eth1 > tc qdisc add dev eth1 root handle 1: htb default 12 Since you mark all unmarked ip as 3 you don't need default 12 - it will send arp to the worst class. > tc class add dev eth1 parent 1: classid 1:1 htb rate 300kbit ceil 300kbit > tc class add dev eth1 parent 1:1 classid 1:10 htb rate 200kbit ceil > 300kbit prio 0 > tc class add dev eth1 parent 1:1 classid 1:11 htb rate 50kbit ceil > 300kbit prio 1 > tc class add dev eth1 parent 1:1 classid 1:12 htb rate 30kbit ceil > 300kbit prio 2 > tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle 1 fw classid > 1:10 > tc filter add dev eth1 parent 1:0 protocol ip prio 2 handle 2 fw classid > 1:11 unused? > tc filter add dev eth1 parent 1:0 protocol ip prio 3 handle 3 fw classid > 1:12 > iptables -t mangle -A PREROUTING --src 10.10.2.10 -j MARK --set-mark 0x1 > iptables -t mangle -A PREROUTING --src 10.10.2.10 -j RETURN > iptables -t mangle -A PREROUTING --src 10.10.2.11 -j MARK --set-mark 0x1 > iptables -t mangle -A PREROUTING --src 10.10.2.11 -j RETURN > iptables -t mangle -A PREROUTING -j MARK --set-mark 0x3 Andy. From lists at andyfurniss.entadsl.com Tue Jul 17 04:06:48 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Tue Jul 17 04:06:39 2007 Subject: [LARTC] Help with traffic control (HTB ESFQ RED) In-Reply-To: <469288F8.7060409@gmail.com> References: <469288F8.7060409@gmail.com> Message-ID: <469C2438.9050104@andyfurniss.entadsl.com> Edgar wrote: > Hello, there's a problem I've had for several months now, and I've never > been able to find an answer to it. I'll try to explain as quick as > possible: > > I have a server that controlls my home network, it provides internet > to them also (NAT) and I would like to provide QoS by shaping traffic. I > have a p2p server here (running mldonkey), since only that machine is > serving p2p and anyone can connect to it to download linux distros ( :) > ) my attemp here was to limit bandwidth for that machine. I've partially > done this, I've written some HTB rules and I've nested ESFQ leafs within > htb classes. At first it seems like it works, but then two problems > arise: 1) Web latency (partially solved by increasing burst size, but > still happens) Possibly too close to egress rate or need to shape/police ingress or maybe prio dns lookups aswell. and 2) download seems affected a lot in the p2p server. You need to prio acks/small packets for P2P aswell or they may get delayed too much in the queue. You could also raise it's ceil a bit. > I believe HTB is doing it's work, but the one that is failing to do > so correctly is ESFQ, since I see upload limitted to the rate I specify. > I'm using ESFQ since it can control traffic by ip, instead of doing it > by flows (like classic sfq). I tried using RED too, but I haven't been > able to find much documentation for it, so I guess I might be doing RED > stuff wrong (I'll include my RED rule too, in case anyone can help with > it). So I'll post the script I'm using to shape traffic, hope you ppl > can help me out. > > #!/bin/sh > > ### Upload Link ### > DEV=eth0 > > ### Modify $DEV's queue and MTU ### > ip link set dev $DEV qlen 50 *sfq still defaults to 128 I think - use limit parameter to reduce > ip link set dev $DEV mtu 1500 > > ### iptables mangle table cleanup ### > iptables -t mangle -F > iptables -t mangle -X > > ## ROOT QDISC cleanup in $DEV > tc qdisc del dev $DEV root 2> /dev/null > /dev/null > tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null > #tc qdisc del dev $HDEV root 2> /dev/null > /dev/null > > P2P_IP=192.168.0.100 > SSH_PORT=9000 > > ### CLASSES ### > SSH=1:10 > P2P=1:20 > DEF=1:30 > HTTP=1:40 > > iptables -t mangle -A POSTROUTING -s $P2P_IP -o $DEV -j CLASSIFY > --set-class $P2P > iptables -t mangle -A OUTPUT -o $DEV -p tcp --sport $SSH_PORT -j MARK > --set-mark 1 > iptables -t mangle -A POSTROUTING -o $DEV -s ! $P2P_IP -p tcp -m length > --length :64 -j MARK --set-mark 1 > iptables -t mangle -A OUTPUT -o $DEV -m mark --mark 1 -j CLASSIFY > --set-class $SSH > iptables -t mangle -A OUTPUT -o $DEV -m mark --mark 1 -j TOS --set-tos > Minimize-Delay > iptables -t mangle -A POSTROUTING -o $DEV -s ! $P2P_IP -p tcp -m > multiport --destination-ports 80,445,7777,7778,8080 -j MARK --set-mark 2 > iptables -t mangle -A POSTROUTING -o $DEV -m mark --mark 2 -j CLASSIFY > --set-class $HTTP > iptables -t mangle -A POSTROUTING -o $DEV -m mark --mark 2 -j TOS > --set-tos Maximize-Throughput The tos won't make any difference > > MAX_RATE=30kbps > P2P_UP=10kbps > ## HTB CLASSES ## > > tc qdisc add dev $DEV root handle 1: htb default 30 Arp will go to default - it's better to use iptables/a filter to catch other ip traffic. > tc class add dev $DEV parent 1: classid 1:1 htb rate $MAX_RATE burst 15k > tc class add dev $DEV parent 1:1 classid $P2P htb rate 3kbps ceil > $P2P_UP burst 0 prio 2 quantum 1600 From memory burst 10 gave a smaller burst than 0 when I tested. tc -s -d class ls $DEV will show bursts used. > tc class add dev $DEV parent 1:1 classid $SSH htb rate 5kbps ceil > $MAX_RATE burst 0 prio 0 quantum 1600 I would give ssh some burst > tc class add dev $DEV parent 1:1 classid $HTTP htb rate 10kbps ceil > $MAX_RATE burst 15k prio 0 quantum 1600 > tc class add dev $DEV parent 1:1 classid $DEF htb rate 5kbps ceil > $MAX_RATE burst 0 prio 1 quantum 1600 > > ### ESFQ LEAFS ### > tc qdisc add dev $DEV parent $SSH handle 10: esfq perturb 10 hash ctorigdst > tc qdisc add dev $DEV parent $DEF handle 30: esfq perturb 10 hash classic > tc qdisc add dev $DEV parent $P2P handle 20: esfq perturb 10 hash > ctorigdst depth 256 > tc qdisc add dev $DEV parent $HTTP handle 40: esfq perturb 10 hash classic > > > ## RED rule used instead of ESFQ one for $P2P class ## > #tc qdisc add dev $DEV parent $P2P handle 20: red min 1600 max 6400 > burst 5 limit 6k avpkt 1000 > > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From vdautrem at ulb.ac.be Tue Jul 17 05:48:30 2007 From: vdautrem at ulb.ac.be (Vincent Dautremont) Date: Tue Jul 17 05:48:44 2007 Subject: [LARTC] a "browse the code" website for iproute2 source files ? Message-ID: <93586D0F-58AE-4658-979C-753AA3FDA79F@ulb.ac.be> Hi, I'm searching is there is a website to browse iproute2 source code as we can do with the kernel here http://lxr.linux.no/source/ It's a very useful tool to follow function calls and macros across the multitude of files of the package. I've already searched google for a websie like this but i haven't found anything so I ask here. One more time, thank for your help. Vincent. From brian at interlinx.bc.ca Tue Jul 17 05:54:55 2007 From: brian at interlinx.bc.ca (Brian J. Murrell) Date: Tue Jul 17 05:55:09 2007 Subject: [LARTC] a "browse the code" website for iproute2 source files ? In-Reply-To: <93586D0F-58AE-4658-979C-753AA3FDA79F@ulb.ac.be> References: <93586D0F-58AE-4658-979C-753AA3FDA79F@ulb.ac.be> Message-ID: <1184644495.25271.162.camel@pc.ilinx> On Tue, 2007-07-17 at 05:48 +0200, Vincent Dautremont wrote: > Hi, > I'm searching is there is a website to browse iproute2 source code as > we can do with the kernel here http://lxr.linux.no/source/ > It's a very useful tool to follow function calls and macros across > the multitude of files of the package. > I've already searched google for a websie like this but i haven't > found anything so I ask here. Why not just download a tarball, make tags and used tagged editing? b. -- My other computer is your Microsoft Windows server. Brian J. Murrell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070716/de74a44b/attachment.pgp From leroy.vanlogchem at wldelft.nl Thu Jul 19 14:55:55 2007 From: leroy.vanlogchem at wldelft.nl (Leroy van Logchem) Date: Thu Jul 19 14:56:21 2007 Subject: [LARTC] tc qdisc TEQL limited to two interfaces? [ 1.8Gbps ] Message-ID: <469F5F5B.5010107@wldelft.nl> I'am using the following script to aggregate the bandwidth of one quad gigabit ethernet controller (pci-express). #!/bin/bash sysctl -w net.ipv4.tcp_reordering = 30 ifconfig eth1 up ifconfig eth2 up ifconfig eth3 up ifconfig eth4 up modprobe sch_teql tc qdisc add dev eth1 root teql0 tc qdisc add dev eth2 root teql0 tc qdisc del dev eth3 root teql0 tc qdisc del dev eth4 root teql0 ip link set dev teql0 up ip addr flush dev eth1 ip addr flush dev eth2 ip addr flush dev eth3 ip addr flush dev eth4 ip addr flush dev teql0 ip addr add dev eth1 10.0.0.3/31 ip addr add dev eth2 10.0.0.5/31 #ip addr add dev eth3 10.0.0.7/31 #ip addr add dev eth4 10.0.0.9/31 ip addr add dev teql0 10.0.0.11/31 echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth2/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth3/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth4/rp_filter route add -host 10.0.0.2 gw 10.0.0.10 route add -host 10.0.0.4 gw 10.0.0.10 route del -host 10.0.0.6 gw 10.0.0.10 route del -host 10.0.0.8 gw 10.0.0.10 This setup, using just two interfaces, gives a nice and stable iperf bandwidth of 1.85Gbit/s ( 231MB/s ). But when configure all four interfaces the bandwidth drops below 1Gbit/s? Any tips or ideas are welcome! -- Leroy From oliv at arsac.org Thu Jul 19 15:16:18 2007 From: oliv at arsac.org (olivier arsac) Date: Thu Jul 19 15:16:27 2007 Subject: [LARTC] How to check an inactive slave in a bond? Message-ID: <469F6422.5060303@arsac.org> I'm using bonding in active-fallback mode to guarantee maximum availability on some critical servers. The mii mode is active so I can detect things like dead card and/or unplugged cable even on the inactive slave. But how do I check that the inactive slave is properly configured/connected to the switch/vlan? I ask this question because it has just bitten me in a part I'll keep undisclosed. Scenario: your bond0 is running fine. it uses eth0 as active slave and eth2 as inactive slave (different cards/ different driver to be safe) some bozo reconfigures the switch port where your eth2 is plugged in and you don't notice it (the crucial point here) later on, your eth0 dies (or is unplugged by the brother of the first bozo) and bamm... your nice HA node is off-line. note: eth2 is still plugged and fine at the mii level. even an arp would return OK so going from mii to arp for the bond is not the right option. So. How could I check that an IP packet send via eth2 would really reach its vlan? I tried a probably naive thing: ifenslave -d bond0 eth2 ifconfig eth2 $ip netmask 255.255.255.255 route add -host $target eth2 ping $target (target is the gateway, ip is a reserved IP used only on this server to do that check) but it does not work as I hopped. Sometimes the ping is OK (but goes thru bond0) sometimes it blocks... The real question is How to do it properly (rather than how to fix my naive try). Thank you for your help. Olivier -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070719/75aaba9f/attachment.html From ams at toroid.org Thu Jul 19 19:02:51 2007 From: ams at toroid.org (Abhijit Menon-Sen) Date: Thu Jul 19 19:02:58 2007 Subject: [LARTC] gateway failover with linux Message-ID: <20070719170251.GA24923@toroid.org> Hi. I'm wondering if there's a good way to configure a Linux firewall box to failover to a single backup server, while preserving connection state. This question has been asked before, but the latest reference I can find is from 2004, at which time Linux had no equivalent of OpenBSD's pfsync, though Harald was said to be working on one. Did anything come of those efforts? Or is there now another alternative? Any examples or advice would be appreciated. Thank you. -- ams From ams at toroid.org Thu Jul 19 19:25:00 2007 From: ams at toroid.org (Abhijit Menon-Sen) Date: Thu Jul 19 19:25:11 2007 Subject: [LARTC] Re: gateway failover with linux In-Reply-To: <20070719170251.GA24923@toroid.org> References: <20070719170251.GA24923@toroid.org> Message-ID: <20070719172500.GA25266@toroid.org> At 2007-07-19 22:32:51 +0530, ams@toroid.org wrote: > > I'm wondering if there's a good way to configure a Linux firewall box > to failover to a single backup server, while preserving connection > state. Looks like this is it: http://people.netfilter.org/pablo/conntrack-tools/ -- ams From fubar at us.ibm.com Thu Jul 19 22:49:51 2007 From: fubar at us.ibm.com (Jay Vosburgh) Date: Thu Jul 19 22:50:08 2007 Subject: [LARTC] How to check an inactive slave in a bond? In-Reply-To: <469F6422.5060303@arsac.org> References: <469F6422.5060303@arsac.org> Message-ID: <15750.1184878191@death> olivier arsac wrote: [...] >Scenario: >your bond0 is running fine. it uses eth0 as active slave and eth2 as inactive >slave (different cards/ different driver to be safe) >some bozo reconfigures the switch port where your eth2 is plugged in and you >don't notice it (the crucial point here) >later on, your eth0 dies (or is unplugged by the brother of the first bozo) >and bamm... your nice HA node is off-line. >note: eth2 is still plugged and fine at the mii level. >even an arp would return OK so going from mii to arp for the bond is not the >right option. > >So. How could I check that an IP packet send via eth2 would really reach its >vlan? One obvious remedy is better bozo control, but for purposes of discussion, let's look at this as simply a question about assurance of the inactive path. The short answer to you question is that you can't do what you're trying to do. The bonding driver itself, as you've noted, is reasonably good at detecting link state, and connectivity to local network peers (via the ARP monitor), but doesn't provide full end-to-end path validation for all active and inactive slaves. The long answer is that end-to-end validation of the inactive path is fairly complicated, and can be tricky to do correctly. If an inactive slave transmits something, it may cause updating of forwarding tables on the network (either because ARP probes have this effect, or because many switches snoop traffic to determine which destination is reachable via which port), which is undesirable. Inactive slaves, at least in recent versions of bonding, also drop all incoming traffic to prevent the same packet from being delivered multiple times (if, e.g., a switch is flooding traffic to all ports of the bond for whatever reason). The ideal case is to issue, e.g., a ping (ICMP Echo Request) to some IP address on the desired destination. An IP-level probe is better in the grand scheme of things because an IP packet is routable and can reach off the local network (which an ARP cannot). If we move up to IPv6, this becomes more complicated, as the "inactive" slave would have to participated in the IPv6 stateless address autoconfiguration independently from the master, which also causes headaches for IPv6 snooping switches. So, to achieve an actual end to end test from the "inactive" slave to the peer of choice, it's necessary to isolate this traffic so that it properly returns to the "inactive" slave (and isn't routed back to the master). This separate communication needs to take place on a logically discrete network (which may also be physically discrete, as appears to be the case in your situation). If the "probe" network isn't separate from the "real" network, then intermediate routers may send the probes or replies over the wrong path, or improperly update forwarding tables and so on. The bonding driver today doesn't support this type of "independent" slave activity; all slaves are considered to be minions of the master, and aren't allowed to operate independently. I will point out that the ARP monitor, for a subset of cases, can come close to what you want. The current versions of the bonding driver support an "arp_validate" option, and can validate that the ARP probes (which are broadcasts) sent out over the active slave actually reach the inactive slave. It doesn't validate the ARP replies, as those are only received by the active slave, and it doesn't attempt to transmit on the inactive slave. >I tried a probably naive thing: >ifenslave -d bond0 eth2 >ifconfig eth2 $ip netmask 255.255.255.255 >route add -host $target eth2 >ping $target >(target is the gateway, ip is a reserved IP used only on this server to do that >check) >but it does not work as I hopped. Sometimes the ping is OK (but goes thru >bond0) sometimes it blocks... >The real question is How to do it properly (rather than how to fix my naive >try). I would hazard to guess that your problem here is likely one of routing. Maybe on the sender end, maybe on the reply end, maybe both. On the sender end, you can force ping to use a particular interface via the "-I" option, which will assure you that you're using the eth2 for the transmission. The question is going to be which path the reply packet takes to get back to the sender. The other problem, of course, is that you've removed your backup link from the bond, so if the primary should fail while you've got it running this ping test, you'll lose all connectivity. One perhaps cheap and easy, but not 100% reliable, method would be for you to periodically manually fail over the bond to whichever link is inactive (via ifenslave -c bond0 ethX, cycling X through your set of slave interfaces). The up side of this is that you'll exercise both paths regularly, so any bozo induced nonsense should become visible sooner rather than later; the precise interval for "sooner" depending upon how often the failover is induced. The down side is that a failover will probably lose at least a few packets, and you'll have to arrange your script or whatever to stop if you experience an actual failure. -J --- -Jay Vosburgh, IBM Linux Technology Center, fubar@us.ibm.com From gtaylor at riverviewtech.net Thu Jul 19 23:15:01 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Thu Jul 19 23:12:44 2007 Subject: [LARTC] gateway failover with linux In-Reply-To: <20070719170251.GA24923@toroid.org> References: <20070719170251.GA24923@toroid.org> Message-ID: <469FD455.9050903@riverviewtech.net> On 07/19/07 12:02, Abhijit Menon-Sen wrote: > I'm wondering if there's a good way to configure a Linux firewall box > to failover to a single backup server, while preserving connection > state. I'm a bit confused, are you wanting a single Linux firewall / router to have redundant internet connections, or to route traffic to redundant systems behind it and intelligently handle the failure of one or more of said redundant systems? I'm also not sure how conntrackd (comparable to OpenBSD's pfsync) is coming in to play here. Or is there more than one Linux firewall / router that you are wanting to synchronize? Or are you wanting the connection tracking between the multiple systems behind the Linux firewall / router? I think that all of these are possible to various degrees, though each uses a different method to achieve it. > This question has been asked before, but the latest reference I can > find is from 2004, at which time Linux had no equivalent of OpenBSD's > pfsync, though Harald was said to be working on one. *nod* Conntrackd is the tool that you want to use to synchronize connection tracking connection meta data between two systems, or the closest thing that Linux presently has (that I'm aware of). > Did anything come of those efforts? Or is there now another > alternative? Yes, conntrackd. > Any examples or advice would be appreciated. Will you please clarify what you are really wanting to do per above and I'll be more than happy to try to point you in the right direction. Grant. . . . From ams at toroid.org Fri Jul 20 03:20:32 2007 From: ams at toroid.org (Abhijit Menon-Sen) Date: Fri Jul 20 03:20:38 2007 Subject: [LARTC] Re: gateway failover with linux In-Reply-To: <469FD455.9050903@riverviewtech.net> References: <20070719170251.GA24923@toroid.org> <469FD455.9050903@riverviewtech.net> Message-ID: <20070720012032.GA29284@toroid.org> Hi Grant. At 2007-07-19 16:15:01 -0500, gtaylor@riverviewtech.net wrote: > > I'm a bit confused, are you wanting a single Linux firewall / > router to have redundant internet connections, or to route > traffic to redundant systems behind it and intelligently > handle the failure of one or more of said redundant systems? Neither. I just want a hot standby for a single Linux firewall, such that clients behind it are not affected by a hardware failure on the firewall. If my configuration would allow me to someday promote the backup and run both firewall machines in a load-balancing configuration, so much the better. The following example looks very much like what I want: http://people.netfilter.org/pablo/conntrack-tools/testcase.html (Can anyone comment on whether I should stick with keepalived as described above, or try out ucarp?) > Will you please clarify what you are really wanting to do per > above and I'll be more than happy to try to point you in the > right direction. Thanks, I'd appreciate any advice you can give me. -- ams From mohan.tux at gmail.com Fri Jul 20 03:32:27 2007 From: mohan.tux at gmail.com (Mohan Sundaram) Date: Fri Jul 20 03:33:09 2007 Subject: [LARTC] Re: gateway failover with linux In-Reply-To: <20070720012032.GA29284@toroid.org> References: <20070719170251.GA24923@toroid.org> <469FD455.9050903@riverviewtech.net> <20070720012032.GA29284@toroid.org> Message-ID: <46A010AB.7080501@vsnl.com> Abhijit Menon-Sen wrote: > Hi Grant. > > At 2007-07-19 16:15:01 -0500, gtaylor@riverviewtech.net wrote: >> I'm a bit confused, are you wanting a single Linux firewall / >> router to have redundant internet connections, or to route >> traffic to redundant systems behind it and intelligently >> handle the failure of one or more of said redundant systems? > > Neither. > > I just want a hot standby for a single Linux firewall, such that clients > behind it are not affected by a hardware failure on the firewall. If my > configuration would allow me to someday promote the backup and run both > firewall machines in a load-balancing configuration, so much the better. > > The following example looks very much like what I want: > > http://people.netfilter.org/pablo/conntrack-tools/testcase.html > > (Can anyone comment on whether I should stick with keepalived as > described above, or try out ucarp?) > >> Will you please clarify what you are really wanting to do per >> above and I'll be more than happy to try to point you in the >> right direction. > > Thanks, I'd appreciate any advice you can give me. > > -- ams In case your firewall is a proxy for some service, those connections will fail though - unless you can use a virtual interface with the same IP as the source for such connections. I guess you'll use vrrp in conjunction for failover. It would make sense to use vrrpd with status tracking of WAN gateway but AFAIK no such feature exists as yet. Mohan From gtaylor at riverviewtech.net Fri Jul 20 17:12:01 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Fri Jul 20 17:10:03 2007 Subject: [LARTC] Re: gateway failover with linux In-Reply-To: <20070720012032.GA29284@toroid.org> References: <20070719170251.GA24923@toroid.org> <469FD455.9050903@riverviewtech.net> <20070720012032.GA29284@toroid.org> Message-ID: <46A0D0C1.4090805@riverviewtech.net> On 07/19/07 20:20, Abhijit Menon-Sen wrote: > I just want a hot standby for a single Linux firewall, such that > clients behind it are not affected by a hardware failure on the > firewall. If my configuration would allow me to someday promote the > backup and run both firewall machines in a load-balancing > configuration, so much the better. Ok, to pull this off I would use a pair of Linux boxen with vrrpd and conntrackd with almost identical configurations on each system (save for host name and management IPs). For the sake of discussion I'll presume that you are using a cable modem or adsl connection to the internet with a static IP address. PPPoE / DHCP should be possible, but it will get much nastier. You will really want a minimum of two static IP addresses, three if possible, on each side of the firewall. One IP address will be for the routing of traffic and the other two will be for management. The one routing IP address will be the virtual IP that is passed back and forth between the systems and also the IP address that it looks like all your traffic passes through. Use VRRP to make sure that one of the systems will always have the routing IP up and functional. > The following example looks very much like what I want: > > http://people.netfilter.org/pablo/conntrack-tools/testcase.html *nod* This is very much what you are wanting to do. However I'm not sure that the direct connection between the two systems is absolutely required. However having not done this my self I can not say for sure. The last time I looked at this I was going to be trying to make redundant routers for a 1 - 3 Mbps connection and thus was planing on using VLANs to do Router-on-a-stick across two bonded 100 BaseT connections. So, if I needed to I could create a new VLAN for the router to router communications. > (Can anyone comment on whether I should stick with keepalived as > described above, or try out ucarp?) I would use vrrpd over keepalived. As far as ucarp, I'm not familiar with it so I can't comment. I can say that keepalived is much more complex and can do a lot more than what you need to do. Now if you were running a load balancing cluster of servers behind it, keepalived is the proper answer. However for just making sure that a router is available, vrrpd is much closer to what you need with out overkilling. In fact, I believe vrrpd only needs command line options and no config file where as, last I looked, keepalived has a very complex config file for all that it could do. With regards to "... run both firewall machines in a load-balancing configuration ..." I think that conntrackd will allow you to do this. At the very least, you can have inbound traffic use one firewall as its primary and outbound use the other firewall as its primary where each is a failover for the other. If you want inbound and / or outbound to use both routers at the same time, it gets very trick to have the layer 2 ethernet network know which router to use to send the traffic to. A quick run down of how VRRP (and Cisco's proprietary HSRP) works for those that may not know or want a refresher. VRRP uses a management IP and a virtual routing (that may or may not be one of the management IPs). The virtual routing IP uses a special MAC address (00-00-5E-00-01-). This special MAC address allows all client workstations using the virtual routing IP to be able to cache the MAC address and not have to re-arp for the system that currently has the IP. In the event that the backup router detects that the primary router is down, the backup router will claim to be the virtual IP on the virtual router MAC address, usually GARPing so that switches now see the virtual router MAC address on the new switch port. Thus when clients try to send traffic out through the virtual router, the layer 2 traffic will be to the virtual MAC address which the switches now know to be elsewhere on the functioning router. The net result is a very brief down time while the backup router is detecting that the primary is not functioning and switches over. (Note: This is a very far fetch problem, but is possible.) The only real problem with this scenario is if for some reason both routers are up and functioning, but for some reason they can not see each other, thus they both think the other node is down. In this case, you may have a battle for who is up. If you want to know what to do in this situation read about SONITH (Shoot Other Node In The Head) to make sure that there is only one active node at a time. You can configure VRRP to automatically switch back from the backup to the primary when the primary comes back on line, or let the backup remain the primary until it fails and then the real primary that is acting as the backup will resume its role as the primary. > Thanks, I'd appreciate any advice you can give me. Having a functioning understanding of what is going on will help make this a success. What you are wanting to do is completely possible and should be able to be achieved with out a lot of problems, but it is out side of the scope of any point and click GUI that I have seen for Linux. Good luck and let me know if there is any thing else that I can do to help. Grant. . . . From gtaylor at riverviewtech.net Fri Jul 20 17:15:52 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Fri Jul 20 17:13:37 2007 Subject: [LARTC] Re: gateway failover with linux In-Reply-To: <46A010AB.7080501@vsnl.com> References: <20070719170251.GA24923@toroid.org> <469FD455.9050903@riverviewtech.net> <20070720012032.GA29284@toroid.org> <46A010AB.7080501@vsnl.com> Message-ID: <46A0D1A8.1080108@riverviewtech.net> On 07/19/07 20:32, Mohan Sundaram wrote: > It would make sense to use vrrpd with status tracking of WAN gateway > but AFAIK no such feature exists as yet. If I understand what you are saying, you are referring to an external T-1 router converting from the WAN circuit to the ethernet going in to the two routers right? If this is the case, no matter what is done, the WAN router is a single point of failure and thus can not be avoided. No matter what, the Linux boxen can be configured such that they will try to reach this single point of failure and in the event that they can not do so, they (both) will ultimately return an ICMP "no route to host" error message back to the client. However this is out side the scope of what VRRP is meant to do. Grant. . . . From xktnniuymlla at mailinator.com Fri Jul 20 22:45:14 2007 From: xktnniuymlla at mailinator.com (Mike Wright) Date: Fri Jul 20 22:45:14 2007 Subject: [LARTC] newbie needs policing help Message-ID: <46A11EDA.90507@mailinator.com> Hi listizens, Complete tc newbie here. I'm in a pinch because of a mail assault on a server. I've firewalled away many of the most egregious offenders but non-smtp services are still being DOS'ed because of all the mail traffic. Here is what I've tried. (I did say newbie ;) ----------------- #!/bin/sh # # policing parent tc qdisc add dev eth0 handle ffff: ingress # # filter should slow tcp smtpd traffic to 64k max tc filter add dev eth0 parent ffff: protocol ip prio 50 \ u32 match ip dport 0x25 0xFFFF match ip protocol 0x06 0xff \ police rate 55kbit burst 9k drop flowid :1 ----------------- ...but I haven't the slightest idea how to check up on it. e.g. with iproute2 I could say "ip route list" to see what was in there, but how can I check tc rules? "tc qdisk show" gives some cryptic output but "tc filter show dev eth0" returns nothing. (I'm not even sure if the above rules make any sense :( ) Any helpers out there? TIA, Mike Wright :m) From xktnniuymlla at mailinator.com Sat Jul 21 00:41:58 2007 From: xktnniuymlla at mailinator.com (Mike Wright) Date: Sat Jul 21 00:41:58 2007 Subject: [LARTC] [SOLVED] newbie needs policing help In-Reply-To: <46A11EDA.90507@mailinator.com> References: <46A11EDA.90507@mailinator.com> Message-ID: <46A13A36.9050704@mailinator.com> Mike Wright wrote: > Hi listizens, > > Complete tc newbie here. I'm in a pinch because of a mail assault on a > server. I've firewalled away many of the most egregious offenders but > non-smtp services are still being DOS'ed because of all the mail traffic. Finally found the Cookbook and that set me on my way. No wonder I couldn't figure out what was going on. I'd been using the man pages ;) From ams at toroid.org Sat Jul 21 02:29:54 2007 From: ams at toroid.org (Abhijit Menon-Sen) Date: Sat Jul 21 02:30:00 2007 Subject: [LARTC] Re: gateway failover with linux In-Reply-To: <46A0D0C1.4090805@riverviewtech.net> References: <20070719170251.GA24923@toroid.org> <469FD455.9050903@riverviewtech.net> <20070720012032.GA29284@toroid.org> <46A0D0C1.4090805@riverviewtech.net> Message-ID: <20070721002954.GA14479@toroid.org> At 2007-07-20 10:12:01 -0500, gtaylor@riverviewtech.net wrote: > > > I just want a hot standby for a single Linux firewall [...] > > I would use a pair of Linux boxen with vrrpd and conntrackd OK, great. I didn't know about vrrpd. I'll check it out. > As far as ucarp, I'm not familiar with it so I can't comment. If I have the time, I'll try out ucarp and post a summary of my experiences for the archives. > If you want to know what to do in this situation read about SONITH > (Shoot Other Node In The Head) to make sure that there is only one > active node at a time. ("STONITH", for those asking Google.) I have one other question. How does conntrackd interact with traffic shaping? My firewall also uses HTB to impose various bandwidth limits on clients. From what I've read so far, I have the impression that the failover may lose some packets that are being delayed in a queue, but existing connections should recover and be esentially unaffected. Can anyone confirm that? -- ams From junger at telcordia.com Sat Jul 21 04:28:40 2007 From: junger at telcordia.com (Unger, John W) Date: Sat Jul 21 04:28:50 2007 Subject: [LARTC] Problem With NFS and iptables Message-ID: I have a setup where I am running on a machine with Red Hat Enterprise Linux Release 3. I have a userland program that is attempting to attach to libipq. When I issue the 'iptables -A OUTPUT -t mangle -j QUEUE' command to attach, the machine hangs. The only way to unhang the machine is to do a hard restart. All the machine's filesystems are connected to an NFS server, including the /usr filesystem. So the OS is also running from the NFS server. The userland program works correctly on the NFS server and on other machines that are not NFS clients. Is there some way that I can configure iptables to allow the NFS commands to be performed while the '-j QUEUE' command is executing? I believe that is where the problem is occurring because the hang occurs when that command is executing. Does anyone else have a setup similar to this one? If so, could you share your configuration information? Any help would be greatly appreciated. John Unger -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070720/ebea6840/attachment.htm From daniel.schaffrath at mac.com Sun Jul 22 16:04:39 2007 From: daniel.schaffrath at mac.com (Daniel Schaffrath) Date: Sun Jul 22 16:05:26 2007 Subject: [LARTC] Fwd: PFIFO to contain more pkts than allowed by TCP peer? References: Message-ID: <9995B760-4B3D-49E5-99D1-E70EA20D0C6F@mac.com> Maybe this is the right place to ask? Thanks again, Daniel Begin forwarded message: > From: Daniel Schaffrath > Date: 21 July 2007 11:01:01 GMT+02:00 > To: linux-net@vger.kernel.org > Subject: PFIFO to contain more pkts than allowed by TCP peer? > > Hello everybody, > > when the one and only connection originating my box is a TCP stream > which is limited by the advertised window of my peer at - lets say > - 47 pkts, I would expect 'tc -s qdisc show' to show at most 47 > pkts in the pfifo of the appropriate device. Unfortunately, this is > not the case. It's around 83 (twice as much??). Anyone any hints > how come? > > Thank you, > Daniel > - > To unsubscribe from this list: send the line "unsubscribe linux- > net" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070722/96bbdfcc/attachment.html From gtaylor at riverviewtech.net Sun Jul 22 20:23:31 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Sun Jul 22 20:23:45 2007 Subject: [LARTC] Re: gateway failover with linux In-Reply-To: <46A16961.8050703@vsnl.com> References: <20070719170251.GA24923@toroid.org> <20070720012032.GA29284@toroid.org> <46A010AB.7080501@vsnl.com> <46A0D1A8.1080108@riverviewtech.net> <46A16961.8050703@vsnl.com> Message-ID: <46A3A0A3.20206@riverviewtech.net> On 7/20/2007 9:03 PM, Mohan Sundaram wrote: > I think my point was misunderstood. Let us say each of these Linux > boxes are connected to a WAN link each. If the WAN gateway/link of a > box goes down, vrrp must flag itself down or as secondary. Some > similarity to our earlier discussions on redundant gateways. This > feature of object tracking is available in CISCO (their patent) but > only tracks the interface status and not the gateway reachability. > I'd love to have a feature where gateway reachability is tracked. Each firewall / router / gateway having its own independent wan / internet connection makes things a bit different. First of all, each will have its own public IP address for the associated WAN link and as such probably have it's own NAT configuration. I wonder, what type of WAN connection are these? Could both be hooked up to both gateways? In other words are they ethernet or something that gets bridged to ethernet or are they some sort of legacy WAN link, i.e. T1, Frame Relay, ATM? If you could connect the WAN links to both systems, you can have even more functionality and you would be back to what I was originally thinking except for the fact that instead of one WAN connection, you have two to make each router aware of. At the very least, I think you will need to make each router aware of the other one. This way, if a router's (primary) WAN link is not usable it can route the traffic over to the other router and have it route the traffic out to the world. Thus each router would have a primary default gateway of the router at the other end of its WAN link *AND* a secondary default gateway of the other router that it is connected to. I also think that you are very close to needing to use some sort of monitoring utility / daemon to check the status of the WAN link *AND* to make the other router aware of the status. This may be easily done with a small daemon to monitor the link and update the local routing table in conjunction with a routing protocol between the two routers to keep each aware of the others routing table. If you have any more information on Cisco's technology I'd be interested in doing some reading about it if you would care to toss it my way. Grant. . . . From gtaylor at riverviewtech.net Sun Jul 22 20:35:48 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Sun Jul 22 20:35:56 2007 Subject: [LARTC] Re: gateway failover with linux In-Reply-To: <46A16D0A.5070503@vsnl.com> References: <20070719170251.GA24923@toroid.org> <469FD455.9050903@riverviewtech.net> <20070720012032.GA29284@toroid.org> <46A0D0C1.4090805@riverviewtech.net> <46A16D0A.5070503@vsnl.com> Message-ID: <46A3A384.9030400@riverviewtech.net> On 7/20/2007 9:18 PM, Mohan Sundaram wrote: > In VRRP based gateway pairs, this is normally done by partitioning > the LAN to use both gateways by different subnets. i.e G1 is primary > for subnet1 with G2 as secondary; G2 is primary for subnet2 with G1 > as secondary. This is done by defining multiple vrrp groups. AFAIK, > no dynamic balancing methods/ features exist. Agreed, this would be the easiest to implement active / active with traffic flowing out through both routers. I was trying to state that outbound for the network would flow through one router while inbound would flow through the other router. This could also be extended to mirror the multiple subnets like you are talking about too, though I think load sharing reasoning would be lost at that point as you have more traffic on both routers. At this point in time it would come down to statistics of network load to see how you wanted to do it. I'm sure there are ways that you can have all traffic spread across both routers in either direction. Though I'm not quite sure how to go about it. I'm going to say that VRRP / Load Balancing / Bridging / Layer 2 Filtering / and other services would be in effect to divide the traffic across both active routers. No matter how you slice it, this is beyond the scope of the OPs question. I was merely stating that things are possible. Grant. . . . From lists at andyfurniss.entadsl.com Mon Jul 23 13:05:17 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Mon Jul 23 13:06:42 2007 Subject: [LARTC] Fwd: PFIFO to contain more pkts than allowed by TCP peer? In-Reply-To: <9995B760-4B3D-49E5-99D1-E70EA20D0C6F@mac.com> References: <9995B760-4B3D-49E5-99D1-E70EA20D0C6F@mac.com> Message-ID: <46A48B6D.9020203@andyfurniss.entadsl.com> Daniel Schaffrath wrote: > Maybe this is the right place to ask? > > Thanks again, > Daniel > > > Begin forwarded message: > >> From: Daniel Schaffrath >> Date: 21 July 2007 11:01:01 GMT+02:00 >> To: linux-net@vger.kernel.org >> Subject: PFIFO to contain more pkts than allowed by TCP peer? >> >> Hello everybody, >> >> when the one and only connection originating my box is a TCP stream >> which is limited by the advertised window of my peer at - lets say - >> 47 pkts, I would expect 'tc -s qdisc show' to show at most 47 pkts in >> the pfifo of the appropriate device. Unfortunately, this is not the >> case. It's around 83 (twice as much??). Anyone any hints how come? Maybe tcp window scaling - you can tcpdump the syn/syn ack of the connection to see what if any scale factors are being used. If pfifo is just on the root of a device rather than as a child of something that retelimits, then there could be 100s of packets in a further buffer before you even see a backlog. Andy. From vdautrem at ulb.ac.be Tue Jul 24 03:36:27 2007 From: vdautrem at ulb.ac.be (Vincent Dautremont) Date: Tue Jul 24 03:36:31 2007 Subject: [LARTC] about default filter command Message-ID: <5C822E76-E686-499C-B408-90EF00C1494C@ulb.ac.be> Hi, here I have another newcomer question :-) in the section 9.6.1 of this how too http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.qdisc.filters.html we can read commands about filters : ------------------------------------------ # tc filter add dev eth0 protocol ip parent 10: prio 1 u32 match \ ip dport 22 0xffff flowid 10:1 # tc filter add dev eth0 protocol ip parent 10: prio 1 u32 match \ ip sport 80 0xffff flowid 10:1 # tc filter add dev eth0 protocol ip parent 10: prio 2 flowid 10:2 What does this say? It says: attach to eth0, node 10: a priority 1 u32 filter that matches on IP destination port 22 *exactly* and send it to band 10:1. And it then repeats the same for source port 80. The last command says that anything unmatched so far should go to band 10:2, the next-highest priority. ------------------------------------------ i try to do this at home as i want my ssh traffic prioritary to other traffic but the problem is with the last command ! it simply don't work. The last command that says default trafic goes to prio 2 doesn't work # tc filter add dev eth0 protocol ip parent 10: prio 2 flowid 10:2 just give me the error: "Unknown filter flowid, hence option 1:2 is unparsable" So I don't get what do I must do in order to say that the default trafic goes on priority 2 of the prio filter is this how too always valid with the current version of tc ? did i do something wrong ? Thank you for your help. Vincent. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070724/54b81218/attachment.htm From fragabr at gmail.com Tue Jul 24 03:59:39 2007 From: fragabr at gmail.com (=?ISO-8859-1?Q?D=E2niel?= Fraga) Date: Tue Jul 24 04:25:09 2007 Subject: [LARTC] Hotplug and Multipath routes = lost route Message-ID: I have 2 cable modems on a server (Linux 2.6.22). I use multipath, so the route is something like this: default nexthop via 201.6.102.1 dev eth1 weight 256 nexthop via 201.6.107.1 dev eth2 weight 128 The first one (eth1) has a higher priority, then when it goes down, I can "ifconfig" the interface eth1 down and Linux automatically detects the "dead" gateway and change the route to the second one. Ok. The problem is that when one of the modems goes down, and as they use the cdc_ether module to communicate via USB, the *entire* route is erased because one of the devices doesn't exist anymore. It's not a problem with hotplug, since it's correct to remove the device and the route that would go through it. But it would be nice if the kernel just removed the specific "nexthop" which uses the inactive device instead of removing the entire default route. Is there a way to tell the kernel to do that? Or to not remove the route at all and just mark the "nexthop" with the inactive device as dead and wait for it to come back alive? Thank you! -- Linux 2.6.22: Holy Dancing Manatees, Batman! http://www.lastfm.pt/user/danielfraga http://u-br.net The Cranberries - "Dreams" (Everybody Else Is Doing It, So Why Can't We?) Linux 2.6.22: Holy Dancing Manatees, Batman! http://www.lastfm.pt/user/danielfraga http://u-br.net Oasis - "Wonderwall" ((What's the Story) Morning Glory?) From gtaylor at riverviewtech.net Tue Jul 24 06:27:37 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Tue Jul 24 06:27:51 2007 Subject: [LARTC] Hotplug and Multipath routes = lost route In-Reply-To: References: Message-ID: <46A57FB9.8060907@riverviewtech.net> On 7/23/2007 8:59 PM, D?niel Fraga wrote: > Is there a way to tell the kernel to do that? Or to not remove > the route at all and just mark the "nexthop" with the inactive device > as dead and wait for it to come back alive? Do some reading about Julian Anastasov's kernel patches, in particular the dead gateway detection patch (http://www.ssi.bg/~ja/dgd.txt). Grant. . . . From ams at toroid.org Tue Jul 24 07:12:54 2007 From: ams at toroid.org (Abhijit Menon-Sen) Date: Tue Jul 24 07:13:00 2007 Subject: [LARTC] throwing away unclassified traffic Message-ID: <20070724051254.GA14202@toroid.org> Hi. I'm using u32 filters matching src/dst IP addresses to assign traffic to one of many HTB classes for an interface. What is the best way to throw away all traffic that isn't explicitly assigned to a class? (Right now I'm setting "default" on the root qdisc to an HTB class with "rate 0", but I'd love to hear a better way, if there is one.) -- ams From fragabr at gmail.com Wed Jul 25 08:58:03 2007 From: fragabr at gmail.com (=?ISO-8859-1?Q?D=E2niel?= Fraga) Date: Wed Jul 25 09:10:31 2007 Subject: [LARTC] Re: Hotplug and Multipath routes = lost route References: <46A57FB9.8060907@riverviewtech.net> Message-ID: On Mon, 23 Jul 2007 23:27:37 -0500 Grant Taylor wrote: > Do some reading about Julian Anastasov's kernel patches, in > particular the dead gateway detection patch > (http://www.ssi.bg/~ja/dgd.txt). Yes, I read that, but I don't understand why those patches aren't merged in the kernel. Is there some kind of opposition to these patches? Thanks. -- Linux 2.6.22: Holy Dancing Manatees, Batman! http://www.lastfm.pt/user/danielfraga http://u-br.net Sade - "Kiss of Life" (The Best of Sade - 2002) From thuleau at gmail.com Wed Jul 25 15:14:31 2007 From: thuleau at gmail.com (Edouard Thuleau) Date: Wed Jul 25 15:14:38 2007 Subject: [LARTC] Patch accurate packet scheduling for ATM/ADSL Message-ID: <81c11a560707250614h6d89b614t8c906f8e552248a4@mail.gmail.com> Hi, I use the patch (http://ace-host.stuart.id.au/russell/files/tc/tc-atm/) for accurate the packet scheduling on ATM/ADSL link and i think I've found a bug. I tried to write to the author but he didn't answer me. I work on a Linux 2.6.17 with the iproute2-2.6.18-061002 package. I change the type of the cell_align char to short of the struct tc_ratespec in the file pkt_sched.h (in the include/linux/ directories of iproute package and the kernel source) : struct tc_ratespec { unsigned char cell_log; unsigned char __reserved; unsigned short feature; /* Always 0 in pre-atm patch kernels */ - char cell_align; /* Always 0 in pre-atm patch kernels */ - unsigned char __unused; + short cell_align; /* Always 0 in pre-atm patch kernels */ unsigned short mpu; __u32 rate; }; The results are much better and with my tests, it works very nicely. If it can help someone, Edouard. From gtaylor at riverviewtech.net Wed Jul 25 16:36:44 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Wed Jul 25 16:34:25 2007 Subject: [LARTC] Re: Hotplug and Multipath routes = lost route In-Reply-To: References: <46A57FB9.8060907@riverviewtech.net> Message-ID: <46A75FFC.3060004@riverviewtech.net> On 07/25/07 01:58, D?niel Fraga wrote: > Yes, I read that, but I don't understand why those patches aren't > merged in the kernel. Is there some kind of opposition to these > patches? Julian would be the better person to ask, but I'll take a stab at it. I don't know of any opposition per say that is preventing the patches from going in to the main line kernel. I think it has more to do with the need for the functionality verses the complexity both of which in conjunction with the fact that in the later 2.6 kernel networking and net filter code has undergone *MASSIVE* changes. As such the demand to get the patches in to the kernel has probably not been high enough to warrant the effort, especially if the patches will apply cleanly to a stock kernel. > Thanks. *nod* Grant. . . . From fragabr at gmail.com Thu Jul 26 04:34:12 2007 From: fragabr at gmail.com (=?ISO-8859-1?Q?D=E2niel?= Fraga) Date: Thu Jul 26 05:05:25 2007 Subject: [LARTC] Definitive way to aggregate bandwidth using multiple links Message-ID: <4qdln4-tl7.ln1@tux.abusar.org> I always used multiple links from different ISPs and in my oppinion the best way to really aggregate bandwidth is using some kind of proxy which the client connects to and distribute multiple connections to the links. Years ago, a friend of mine wrote Netsplitter: http://www.hostname.org/netsplitter/ but it's outdated, abandoned (last version from 2002). And it was mainly written for FreeBSD but could run on Linux too. Another project which supposed to aggregate bandwidth was eqlplus, which is outdated too: http://www.technetra.com/solutions/eqlplus/ Main Netsplitter advantages over eqlplus: 1) it doesn't require kernel patches, it runs completely in user space 2) it isn't restricted to serial lines (slip, uncompressed ppp). Finally we can use our ethernet links :) 3) simpler configuration Anyway, I'd like to ask if somebody knows about some other project similar to these. With netsplitter everything was so simple, I redirect the connections to the netsplitter daemon, which acts like a proxy, and opened multiple connections to a ftp/http/whatever server and it distributed the connections over the links... very nice. This way we don't have to mess with the kernel. The method is elegant and transparent. Thanks! -- Linux 2.6.22: Holy Dancing Manatees, Batman! http://www.lastfm.pt/user/danielfraga http://u-br.net Alphaville - "Big in Japan" (First Harvest 1984-92) From fragabr at gmail.com Thu Jul 26 07:55:21 2007 From: fragabr at gmail.com (=?ISO-8859-1?Q?D=E2niel?= Fraga) Date: Thu Jul 26 07:56:11 2007 Subject: [LARTC] Definitive way to aggregate bandwidth using multiple links References: <4qdln4-tl7.ln1@tux.abusar.org> <2dae841b0707252236l31409205gf95971fde9fd5e64@mail.gmail.com> Message-ID: <9jpln4-3l9.ln1@tux.abusar.org> On Wed, 25 Jul 2007 23:36:54 -0600 "Jan Mulders" wrote: > >From the looks of these two programs, they seem to 'round robin' > >outgoing > TCP requests over multiple links - I believe most iptables frontends > (I know Shorewall does out of the box) allow you to round-robin > outgoing connections over multiple different source IP addresses when > masquerading using NAT, which is usually functionally identical to > what these two do, if I am not mistaken? I'm afraid yes Jan, because it isn't enough to round-robin connections, but to make sure that if a single client opens, for example, 5 connections, it will be split thru the available links, agregating bandwidth. I think that it's impossible to do this just with iptables. Even multipath (using the above example) would just put all the 5 connections on a single link :(. > I'm also interested to hear of related projects: I use OpenVPN to > provide a tunneling VPN to my users, and have lots of problems with > insufficient throughput over TCP, even when more bandwidth is > available. My main goal is to try and split TCP streams into multiple > streams, then reassemble them at the other end - this seems to be > something neither of the above are intended to do. Mayeb some kind of bonding, but the problem is that the 2 points of your VPN aren't directly connected, otherwise you could use Bonding or TEQL. There's EQL for serial links, but you'd have to install it on both ends... -- Linux 2.6.22: Holy Dancing Manatees, Batman! http://www.lastfm.pt/user/danielfraga http://u-br.net Cranberries - "I Will Always" (Everybody Else Is Doing It, So Why Can't We? - 1993) From russell-tcatm at stuart.id.au Thu Jul 26 11:38:44 2007 From: russell-tcatm at stuart.id.au (Russell Stuart) Date: Thu Jul 26 11:39:12 2007 Subject: [LARTC] Patch accurate packet scheduling for ATM/ADSL In-Reply-To: <81c11a560707250614h6d89b614t8c906f8e552248a4@mail.gmail.com> References: <81c11a560707250614h6d89b614t8c906f8e552248a4@mail.gmail.com> Message-ID: <1185442724.4200.185.camel@ras> On Wed, 2007-07-25 at 15:14 +0200, Edouard Thuleau wrote: > I use the patch > (http://ace-host.stuart.id.au/russell/files/tc/tc-atm/) for accurate > the packet scheduling on ATM/ADSL link and i think I've found a bug. > I tried to write to the author but he didn't answer me. Sorry. :( I have now. > I work on a Linux 2.6.17 with the iproute2-2.6.18-061002 package. > I change the type of the cell_align char to short of the struct > tc_ratespec in the file pkt_sched.h (in the include/linux/ directories > of iproute package and the kernel source) : > > struct tc_ratespec > { > unsigned char cell_log; > unsigned char __reserved; > unsigned short feature; /* Always 0 in pre-atm patch kernels */ > - char cell_align; /* Always 0 in pre-atm patch kernels */ > - unsigned char __unused; > + short cell_align; /* Always 0 in pre-atm patch kernels */ > unsigned short mpu; > __u32 rate; > }; > > The results are much better and with my tests, it works very nicely. > > If it can help someone, I can't see how that would change things as the cell align always lies within the range -7..0. The only thing that springs to mind is perhaps you aren't using i386, and your CPU doesn't sign extend char's??? What CPU are you using? From womking at gmail.com Thu Jul 26 11:53:49 2007 From: womking at gmail.com (=?GB2312?B?zuLD973y?=) Date: Thu Jul 26 11:53:58 2007 Subject: [LARTC] tc filter not work, why? Message-ID: I try to use tc on mips with linux-2.4.18 but the u32 filter dosn't work I added htb qdisc to linux-2.4.18 and use it to limit the speed in LAN, it only work well on the default class, for example tc qdisc add dev eth0 root handle 1: htb default 10 tc class add dev eth0 parent 1:0 classid 1:1 htb rate 2000kbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 500kbit ceil 500kbit tc calss add dev eth0 parent 1:1 classid 1:11 htb rate 300kbit ceil 300kbit tc filter add dev eth0 protocol ip u32 match ip dst 192.168.18.100 flowid 1:11 the host 192.168.18.100 have a speed of 500kbit rather than 300kbit. if I don't set the default 10 class, all this dosn't have any effect. why? thank you. From hijacker at oldum.net Thu Jul 26 12:11:58 2007 From: hijacker at oldum.net (Nikolay Kichukov) Date: Thu Jul 26 12:12:20 2007 Subject: [LARTC] tc filter not work, why? In-Reply-To: References: Message-ID: <46A8736E.3070208@oldum.net> Hello ???, Maybe in your filter statement you should use src rather than dst? It is not clear what interface is connected to what hosts. HTH, -Nik ??? wrote: > I try to use tc on mips with linux-2.4.18 but the u32 filter dosn't work > > I added htb qdisc to linux-2.4.18 and use it to limit the speed in > LAN, it only work well on the default class, for example > > tc qdisc add dev eth0 root handle 1: htb default 10 > tc class add dev eth0 parent 1:0 classid 1:1 htb rate 2000kbit > tc class add dev eth0 parent 1:1 classid 1:10 htb rate 500kbit ceil 500kbit > tc calss add dev eth0 parent 1:1 classid 1:11 htb rate 300kbit ceil 300kbit > tc filter add dev eth0 protocol ip u32 match ip dst 192.168.18.100 > flowid 1:11 > > the host 192.168.18.100 have a speed of 500kbit rather than 300kbit. > > if I don't set the default 10 class, all this dosn't have any effect. > > why? > > thank you. > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From thuleau at gmail.com Thu Jul 26 12:22:39 2007 From: thuleau at gmail.com (Edouard Thuleau) Date: Thu Jul 26 12:22:45 2007 Subject: [LARTC] Patch accurate packet scheduling for ATM/ADSL In-Reply-To: <1185442724.4200.185.camel@ras> References: <81c11a560707250614h6d89b614t8c906f8e552248a4@mail.gmail.com> <1185442724.4200.185.camel@ras> Message-ID: <81c11a560707260322m14a53679h99167d346a9d1613@mail.gmail.com> Hi, 2007/7/26, Russell Stuart : > On Wed, 2007-07-25 at 15:14 +0200, Edouard Thuleau wrote: > > I use the patch > > (http://ace-host.stuart.id.au/russell/files/tc/tc-atm/) for accurate > > the packet scheduling on ATM/ADSL link and i think I've found a bug. > > I tried to write to the author but he didn't answer me. > > Sorry. :( I have now. Thanks for your answer. > > > I work on a Linux 2.6.17 with the iproute2-2.6.18-061002 package. > > I change the type of the cell_align char to short of the struct > > tc_ratespec in the file pkt_sched.h (in the include/linux/ directories > > of iproute package and the kernel source) : > > > > struct tc_ratespec > > { > > unsigned char cell_log; > > unsigned char __reserved; > > unsigned short feature; /* Always 0 in pre-atm patch kernels */ > > - char cell_align; /* Always 0 in pre-atm patch kernels */ > > - unsigned char __unused; > > + short cell_align; /* Always 0 in pre-atm patch kernels */ > > unsigned short mpu; > > __u32 rate; > > }; > > > > The results are much better and with my tests, it works very nicely. > > > > If it can help someone, > > I can't see how that would change things as the cell align > always lies within the range -7..0. The only thing that > springs to mind is perhaps you aren't using i386, and your > CPU doesn't sign extend char's??? What CPU are you using? > Yes I use an ARM big-endian architecture, it's my problem. I understood now. If we put a short, the patch works for all architecture, no ? Thanks. From georgi.alexandrov at gmail.com Thu Jul 26 13:55:12 2007 From: georgi.alexandrov at gmail.com (Georgi Alexandrov) Date: Thu Jul 26 13:55:33 2007 Subject: [LARTC] about default filter command In-Reply-To: <5C822E76-E686-499C-B408-90EF00C1494C@ulb.ac.be> References: <5C822E76-E686-499C-B408-90EF00C1494C@ulb.ac.be> Message-ID: <46A88BA0.8040503@gmail.com> Vincent Dautremont wrote: > Hi, > here I have another newcomer question :-) > in the section 9.6.1 of this how too > http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.qdisc.filters.html > we can read commands about filters : > ------------------------------------------ > > # tc filter add dev eth0 protocol ip parent 10: prio 1 u32 match \ > ip dport 22 0xffff flowid 10:1 > # tc filter add dev eth0 protocol ip parent 10: prio 1 u32 match \ > ip sport 80 0xffff flowid 10:1 > # tc filter add dev eth0 protocol ip parent 10: prio 2 flowid 10:2 > > What does this say? It says: attach to eth0, node 10: a priority 1 u32 > filter that matches on IP destination port 22 *exactly* and send it to > band 10:1. And it then repeats the same for source port 80. The last > command says that anything unmatched so far should go to band 10:2, the > next-highest priority. > > ------------------------------------------ > > i try to do this at home as i want my ssh traffic prioritary to other > traffic but the problem is with the last command ! it simply don't work. > The last command that says default trafic goes to prio 2 doesn't work > > # tc filter add dev eth0 protocol ip parent 10: prio 2 flowid 10:2 > > just give me the error: "Unknown filter flowid, hence option 1:2 is > unparsable" > > So I don't get what do I must do in order to say that the default trafic > goes on priority 2 of the prio filter > > is this how too always valid with the current version of tc ? did i do > something wrong ? > > Thank you for your help. You should have posted *all* your tc rules. -- regards, Georgi Alexandrov key server - pgp.mit.edu :: key id - 0x37B4B3EE Key fingerprint = E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070726/cb30e4ac/signature.pgp From gtaylor at riverviewtech.net Thu Jul 26 16:30:51 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Thu Jul 26 16:28:29 2007 Subject: [LARTC] Definitive way to aggregate bandwidth using multiple links In-Reply-To: <9jpln4-3l9.ln1@tux.abusar.org> References: <4qdln4-tl7.ln1@tux.abusar.org> <2dae841b0707252236l31409205gf95971fde9fd5e64@mail.gmail.com> <9jpln4-3l9.ln1@tux.abusar.org> Message-ID: <46A8B01B.8030000@riverviewtech.net> On 07/26/07 00:55, D?niel Fraga wrote: > Mayeb some kind of bonding, but the problem is that the 2 points of > your VPN aren't directly connected, otherwise you could use Bonding > or TEQL. There's EQL for serial links, but you'd have to install it > on both ends... *nod* The only thing that comes to mind that would facilitate true aggregation of multiple links would be to have a server on very high bandwidth that you could create multiple tunnels (IPIP / IPSec / GRE) to and have it aggregate the multiple tunnels together and then use the aggregated tunnel as your larger pipe to the world and do all your NATing at that end so the world would see you from one largish connection. At least in theory this is sound with Multi-Link PPP. However I do not know of any one that has done this. I suppose this would be a decent service if someone could make it turn key. Would any one care to jointly work on something like this? I could locate a box on an OC-3 for testing purpose, but not long term production, at least not with out paying hundreds per month. I suppose such a service should support IPSec, IP in IP, GRE, L2TP, PPTP tunnels. What else? Would it be better to aggregate the tunnels in to one large logical router or rather multiple smaller UML / VMWare routers per client so the client could have control over the remote end? What about IP address space? Thoughts / Opinions? Grant. . . . From vdautrem at ulb.ac.be Thu Jul 26 18:23:10 2007 From: vdautrem at ulb.ac.be (Vincent Dautremont) Date: Thu Jul 26 18:23:15 2007 Subject: =?ISO-8859-1?Q?R=E9p_:_[LARTC]_about_default_filter_command?= Message-ID: Le 26 juil. 07 ? 13:55, Georgi Alexandrov a ?crit : > Vincent Dautremont wrote: > >> Hi, >> here I have another newcomer question :-) >> in the section 9.6.1 of this how too >> http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.qdisc.filters.html >> we can read commands about filters : >> ------------------------------------------ >> >> # tc filter add dev eth0 protocol ip parent 10: prio 1 u32 match \ >> ip dport 22 0xffff flowid 10:1 >> # tc filter add dev eth0 protocol ip parent 10: prio 1 u32 match \ >> ip sport 80 0xffff flowid 10:1 >> # tc filter add dev eth0 protocol ip parent 10: prio 2 flowid 10:2 >> >> What does this say? It says: attach to eth0, node 10: a priority 1 >> u32 >> filter that matches on IP destination port 22 *exactly* and send >> it to >> band 10:1. And it then repeats the same for source port 80. The last >> command says that anything unmatched so far should go to band >> 10:2, the >> next-highest priority. >> >> ------------------------------------------ >> >> i try to do this at home as i want my ssh traffic prioritary to other >> traffic but the problem is with the last command ! it simply don't >> work. >> The last command that says default trafic goes to prio 2 doesn't work >> >> # tc filter add dev eth0 protocol ip parent 10: prio 2 flowid 10:2 >> >> just give me the error: "Unknown filter flowid, hence option 1:2 is >> unparsable" >> >> So I don't get what do I must do in order to say that the default >> trafic >> goes on priority 2 of the prio filter >> >> is this how too always valid with the current version of tc ? did >> i do >> something wrong ? >> >> Thank you for your help. >> > > > You should have posted *all* your tc rules. > > -- > regards, > Georgi Alexandrov > > key server - pgp.mit.edu :: key id - 0x37B4B3EE > Key fingerprint = E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 B3EE > > Ok, thanks for you advise, here are all my tc rules : # tc qdisc add dev eth0 root handle 1: prio # tc filter add dev eth0 protocol ip parent 1: prio 1 u32 match ip dport 22 0xffff flowid 1:1 # tc filter add dev eth0 protocol ip parent 1: prio 2 flowid 1:2 ---- does this lack one rule ? anyway the last one is not accepted by tc. Vincent. From lartc at rootsucks.com Thu Jul 26 20:11:04 2007 From: lartc at rootsucks.com (Philippe) Date: Thu Jul 26 20:07:44 2007 Subject: [LARTC] Patch accurate packet scheduling for ATM/ADSL In-Reply-To: <81c11a560707260322m14a53679h99167d346a9d1613@mail.gmail.com> References: <81c11a560707250614h6d89b614t8c906f8e552248a4@mail.gmail.com> <1185442724.4200.185.camel@ras> <81c11a560707260322m14a53679h99167d346a9d1613@mail.gmail.com> Message-ID: <46A8E3B8.3010003@rootsucks.com> Hi ! (Sorry for my bad english...) > I use the patch > (http://ace-host.stuart.id.au/russell/files/tc/tc-atm/) for accurate > the packet scheduling on ATM/ADSL link and i think I've found a bug. I use it too, this patch is great! :o) But, with TBF, both burst and limit parameters are "affected" by the patch (or I clearly missed something). tc qdisc add dev eth1 root handle 1:0 tbf rate 100kbit \ burst 1514b limit 1514b mpu 64 atm overhead -4 tc qdisc add dev eth1 parent 1:1 handle 10:0 pfifo Before the patch (without "atm overhead -4"), using PPPoA + VC/Mux and MSS set to 1438, TBF was working normally. Just after the patch (with "atm overhead -4"), it stopped working : packets were blocked until I raise up burst and limit to 1696 (32 * 53). In this case Linux sees 1492 bytes packets on eth1 (1438 + 20 IP + 20 TCP + 14 Ethernet) Same effect with a lower MSS : burst and limit must be set to 742b (14 * 53) when MSS = 574. Pretty sure I do not unsterdand something... and wondering why I cannot set set burst/limit to 628b (only for TCP streams). To get mimimal burst/limit values, an extra atm cell is needed : mss = 1150 eth1 packet = 1204b (1150 + 40 + 14) modem packet = 1200b ( 1150 + 40 + 2 PPP + 8 AAL5) Atm cells = 25 (1200 / 48) Add one cell... and... min burst/limit = 1378 ( 26 * 53 ) TBF rate also seems to be affected: I currently have it set to 159kbit on a 128kbits upstream link and it works like a charm! :o) This is not really a problem (if it works, don't touch it) but I would like to understand... Thanks! Philippe From coricim at gmail.com Thu Jul 26 20:16:55 2007 From: coricim at gmail.com (Marius Corici) Date: Thu Jul 26 20:17:00 2007 Subject: [LARTC] IPv6 in IPv6 tunneling Message-ID: <2abc33350707261116w1a9e6d86tf238ca8ab2b388c6@mail.gmail.com> hello, is there any tool to support IPv6 in IPv6 or IPv6 in UDP over IPv6 out of the box solution (preferably :P)? Greetings, Marius Corici -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070726/23b8839e/attachment.htm From patrick at xentech.net Thu Jul 26 20:44:53 2007 From: patrick at xentech.net (Patrick (Xentech)) Date: Thu Jul 26 20:50:59 2007 Subject: [LARTC] Multi-Path Load Balancing Message-ID: <92593F50-D88A-456A-A72E-5B2F36767070@xentech.net> Hi, We have the following config: Servers -> BGP router (10 Gbit) -> BGP router (1 Gbit) -> BGP router (100 mbit) We would like to do the following. The server should first fill the 100 mbit link, then fill the 1 Gbit link, and then the 10 Gbit link, when traffic increases. The resverse applies when traffic decreases. I found lots of docs on round-robin weighted link, etc, but that would actually load balance these links evenly. We would like have it work like a bucket system though. Any ideas? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070726/a936a614/attachment.html From fragabr at gmail.com Thu Jul 26 23:30:30 2007 From: fragabr at gmail.com (=?ISO-8859-1?Q?D=E2niel?= Fraga) Date: Thu Jul 26 23:40:07 2007 Subject: [LARTC] Re: Definitive way to aggregate bandwidth using multiple links References: <4qdln4-tl7.ln1@tux.abusar.org> <2dae841b0707252236l31409205gf95971fde9fd5e64@mail.gmail.com> <9jpln4-3l9.ln1@tux.abusar.org> <46A8B01B.8030000@riverviewtech.net> Message-ID: On Thu, 26 Jul 2007 09:30:51 -0500 Grant Taylor wrote: > The only thing that comes to mind that would facilitate true > aggregation of multiple links would be to have a server on very high > bandwidth that you could create multiple tunnels (IPIP / IPSec / GRE) > to and have it aggregate the multiple tunnels together and then use > the aggregated tunnel as your larger pipe to the world and do all > your NATing at that end so the world would see you from one largish > connection. But his if you want to aggregate bandwidth to the world. Yes, in theory it should work. But I want to agregate bandwidth just for me (although it would be nice if the world could see one huge link). For external access, it would be nice (and simpler) if we had a universal protocol which just tell the client "you can access this server through IPs x, y and z" and the client would open connections to x, y and z. There's program that does this, but you have to tell the IPs to connect: http://aria2.sourceforge.net/ "aria2 has segmented downloading engine in its core. It can download one file from multiple URLs" http://wilmer.gaast.net/main.php/axel.html This support multiple servers too and can download a list of mirrors... -- Linux 2.6.22: Holy Dancing Manatees, Batman! http://www.lastfm.pt/user/danielfraga http://u-br.net From vdautrem at ulb.ac.be Fri Jul 27 03:53:52 2007 From: vdautrem at ulb.ac.be (Vincent Dautremont) Date: Fri Jul 27 03:54:00 2007 Subject: =?ISO-8859-1?Q?Re:_R=E9p_:_[LARTC]_about_default_filter_command?= In-Reply-To: References: Message-ID: Are you sure ? because that's not what is written in the how-to http://lartc.org/ howto/lartc.qdisc.classful.html check section 9.5.3 which says that three classes are automatically created by default. and in section 9.5.3.2 : # tc qdisc add dev eth0 root handle 1: prio ## This *instantly* creates classes 1:1, 1:2, 1:3 Vincent. Le 27 juil. 07 ? 03:45, ??? a ?crit : > It seems you miss the class . > > On 7/27/07, Vincent Dautremont wrote: >> Le 26 juil. 07 ? 13:55, Georgi Alexandrov a ?crit : >> >> >> > Vincent Dautremont wrote: >> > >> >> Hi, >> >> here I have another newcomer question :-) >> >> in the section 9.6.1 of this how too >> >> http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.qdisc.filters.html >> >> we can read commands about filters : >> >> ------------------------------------------ >> >> >> >> # tc filter add dev eth0 protocol ip parent 10: prio 1 u32 match \ >> >> ip dport 22 0xffff flowid 10:1 >> >> # tc filter add dev eth0 protocol ip parent 10: prio 1 u32 match \ >> >> ip sport 80 0xffff flowid 10:1 >> >> # tc filter add dev eth0 protocol ip parent 10: prio 2 flowid 10:2 >> >> >> >> What does this say? It says: attach to eth0, node 10: a priority 1 >> >> u32 >> >> filter that matches on IP destination port 22 *exactly* and send >> >> it to >> >> band 10:1. And it then repeats the same for source port 80. The >> last >> >> command says that anything unmatched so far should go to band >> >> 10:2, the >> >> next-highest priority. >> >> >> >> ------------------------------------------ >> >> >> >> i try to do this at home as i want my ssh traffic prioritary to >> other >> >> traffic but the problem is with the last command ! it simply don't >> >> work. >> >> The last command that says default trafic goes to prio 2 >> doesn't work >> >> >> >> # tc filter add dev eth0 protocol ip parent 10: prio 2 flowid 10:2 >> >> >> >> just give me the error: "Unknown filter flowid, hence option >> 1:2 is >> >> unparsable" >> >> >> >> So I don't get what do I must do in order to say that the default >> >> trafic >> >> goes on priority 2 of the prio filter >> >> >> >> is this how too always valid with the current version of tc ? did >> >> i do >> >> something wrong ? >> >> >> >> Thank you for your help. >> >> >> > >> > >> > You should have posted *all* your tc rules. >> > >> > -- >> > regards, >> > Georgi Alexandrov >> > >> > key server - pgp.mit.edu :: key id - 0x37B4B3EE >> > Key fingerprint = E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 >> B3EE >> > >> > >> Ok, thanks for you advise, here are all my tc rules : >> >> >> # tc qdisc add dev eth0 root handle 1: prio >> # tc filter add dev eth0 protocol ip parent 1: prio 1 u32 match ip >> dport 22 0xffff flowid 1:1 >> # tc filter add dev eth0 protocol ip parent 1: prio 2 flowid 1:2 >> ---- >> does this lack one rule ? anyway the last one is not accepted by tc. >> >> Vincent. >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070727/d405c48f/attachment.htm From womking at gmail.com Fri Jul 27 03:55:35 2007 From: womking at gmail.com (=?GB2312?B?zuLD973y?=) Date: Fri Jul 27 03:55:38 2007 Subject: [LARTC] Re: tc filter not work, why? In-Reply-To: References: Message-ID: IERvZXMgdGhlIHRjIGFuZCB0aGUgbGludXgga2VybmVsIG5ldC9zY2hlZC8gdmVyc2lvbiBtdXN0 IG1hdGNoCmV4YWN0bHk/IG9yIHRoZSBrZXJuZWwgY29uZmlndXJhdGlvbiBtaXNzIHNvbWUgbW9k dWxlcz8KCkkgaGF2ZSBjb21waWxlZCBpbiBhbGwgdGhlIFFvcyBhbmQvb3IgZmFpciBxdWV1ZWlu Zy4KCnRoYW5rIHlvdSBmb3IgeW91ciBoZWxwLgoKT24gNy8yNi8wNywgzuLD973yIDx3b21raW5n QGdtYWlsLmNvbT4gd3JvdGU6Cj4gSSB0cnkgdG8gdXNlIHRjIG9uIG1pcHMgd2l0aCBsaW51eC0y LjQuMTggYnV0IHRoZSB1MzIgZmlsdGVyIGRvc24ndCB3b3JrCj4KPiBJIGFkZGVkIGh0YiBxZGlz YyB0byBsaW51eC0yLjQuMTggYW5kIHVzZSBpdCB0byBsaW1pdCB0aGUgc3BlZWQgaW4KPiBMQU4s IGl0IG9ubHkgd29yayB3ZWxsIG9uIHRoZSBkZWZhdWx0IGNsYXNzLCBmb3IgZXhhbXBsZQo+Cj4g dGMgcWRpc2MgYWRkIGRldiBldGgwIHJvb3QgaGFuZGxlIDE6IGh0YiBkZWZhdWx0IDEwCj4gdGMg Y2xhc3MgYWRkIGRldiBldGgwIHBhcmVudCAxOjAgY2xhc3NpZCAxOjEgaHRiIHJhdGUgMjAwMGti aXQKPiB0YyBjbGFzcyBhZGQgZGV2IGV0aDAgcGFyZW50IDE6MSBjbGFzc2lkIDE6MTAgaHRiIHJh dGUgNTAwa2JpdCBjZWlsIDUwMGtiaXQKPiB0YyBjYWxzcyBhZGQgZGV2IGV0aDAgcGFyZW50IDE6 MSBjbGFzc2lkIDE6MTEgaHRiIHJhdGUgMzAwa2JpdCBjZWlsIDMwMGtiaXQKPiB0YyBmaWx0ZXIg YWRkIGRldiBldGgwIHByb3RvY29sIGlwIHUzMiBtYXRjaCBpcCBkc3QgMTkyLjE2OC4xOC4xMDAg Zmxvd2lkIDE6MTEKPgo+IHRoZSBob3N0IDE5Mi4xNjguMTguMTAwIGhhdmUgYSBzcGVlZCBvZiA1 MDBrYml0IHJhdGhlciB0aGFuIDMwMGtiaXQuCj4KPiBpZiBJIGRvbid0IHNldCB0aGUgZGVmYXVs dCAxMCBjbGFzcywgYWxsIHRoaXMgZG9zbid0IGhhdmUgYW55IGVmZmVjdC4KPgo+IHdoeT8KPgo+ IHRoYW5rIHlvdS4KPgo= From vdautrem at ulb.ac.be Fri Jul 27 06:26:41 2007 From: vdautrem at ulb.ac.be (Vincent Dautremont) Date: Fri Jul 27 06:26:51 2007 Subject: =?ISO-8859-1?Q?Re:_R=E9p_:_[LARTC]_about_default_filter_command?= In-Reply-To: References: Message-ID: <7934E83E-844C-483B-BB40-4CCA5BE56190@ulb.ac.be> i'm a bit lost with the command line of "tc class add" first i do that and it works >> # tc qdisc add dev eth0 root handle 1: prio >> # tc filter add dev eth0 protocol ip parent 1: prio 1 u32 match ip >> dport 22 0xffff flowid 1:1 then i do # tc class add dev eth0 parent:1.0 classid1:2 and the result is "RTNETLINK answers: File Exist" which seams normal to me because when i create the prio qdisc with the first command it add automatically 3 classes (1:1, 1:2, 1:3) No, i think the problem is not here. It must be the 'how-to' i refer to which must be false. So how to choose 1 of the 3 queue of prio as the default one. ...that remains a mistery. anyway thanks for your help. Vincent. Le 27 juil. 07 ? 04:00, ??? a ?crit : > you should try to add the class that the filter said unknown flowid > > On 7/27/07, Vincent Dautremont wrote: >> Are you sure ? >> because that's not what is written in the how-to >> http://lartc.org/howto/lartc.qdisc.classful.html >> check section 9.5.3 which says that three classes are >> automatically created >> by default. >> and in section 9.5.3.2 : >> # tc qdisc add dev eth0 root handle 1: prio >> ## This *instantly* creates classes 1:1, 1:2, 1:3 >> >> Vincent. >> >> Le 27 juil. 07 ? 03:45, ??? a ?crit : >> >> >> It seems you miss the class . >> >> On 7/27/07, Vincent Dautremont wrote: >> Le 26 juil. 07 ? 13:55, Georgi Alexandrov a ?crit : >> >> >> > Vincent Dautremont wrote: >> > >> >> Hi, >> >> here I have another newcomer question :-) >> >> in the section 9.6.1 of this how too >> >> >> http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.qdisc.filters.html >> >> we can read commands about filters : >> >> ------------------------------------------ >> >> >> >> # tc filter add dev eth0 protocol ip parent 10: prio 1 u32 match \ >> >> ip dport 22 0xffff flowid 10:1 >> >> # tc filter add dev eth0 protocol ip parent 10: prio 1 u32 match \ >> >> ip sport 80 0xffff flowid 10:1 >> >> # tc filter add dev eth0 protocol ip parent 10: prio 2 flowid 10:2 >> >> >> >> What does this say? It says: attach to eth0, node 10: a priority 1 >> >> u32 >> >> filter that matches on IP destination port 22 *exactly* and send >> >> it to >> >> band 10:1. And it then repeats the same for source port 80. The >> last >> >> command says that anything unmatched so far should go to band >> >> 10:2, the >> >> next-highest priority. >> >> >> >> ------------------------------------------ >> >> >> >> i try to do this at home as i want my ssh traffic prioritary to >> other >> >> traffic but the problem is with the last command ! it simply don't >> >> work. >> >> The last command that says default trafic goes to prio 2 >> doesn't work >> >> >> >> # tc filter add dev eth0 protocol ip parent 10: prio 2 flowid 10:2 >> >> >> >> just give me the error: "Unknown filter flowid, hence option >> 1:2 is >> >> unparsable" >> >> >> >> So I don't get what do I must do in order to say that the default >> >> trafic >> >> goes on priority 2 of the prio filter >> >> >> >> is this how too always valid with the current version of tc ? did >> >> i do >> >> something wrong ? >> >> >> >> Thank you for your help. >> >> >> > >> > >> > You should have posted *all* your tc rules. >> > >> > -- >> > regards, >> > Georgi Alexandrov >> > >> > key server - pgp.mit.edu :: key id - 0x37B4B3EE >> > Key fingerprint = E429 BF93 FA67 44E9 B7D4 F89E F990 01C1 37B4 >> B3EE >> > >> > >> Ok, thanks for you advise, here are all my tc rules : >> >> >> # tc qdisc add dev eth0 root handle 1: prio >> # tc filter add dev eth0 protocol ip parent 1: prio 1 u32 match ip >> dport 22 0xffff flowid 1:1 >> # tc filter add dev eth0 protocol ip parent 1: prio 2 flowid 1:2 >> ---- >> does this lack one rule ? anyway the last one is not accepted by tc. >> >> Vincent. >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> >> >> From roman at usonyx.net Fri Jul 27 07:30:53 2007 From: roman at usonyx.net (Roman Ledovskiy) Date: Fri Jul 27 07:31:13 2007 Subject: [LARTC] help compiling tcng on 64bit Message-ID: <013f01c7d00f$4e4cc790$eae656b0$@net> Hi, Trying to compile tcng on 64bit server (centos-5 64bit), I'm getting: -------------- cc -g -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -I../shared -DVERSION=\"`cat ../VERSION`\" -DTOPDIR=\"/usr/local/src/tcng-non-patched\" -DDOLLAR -DCONFIRM_EXCEED -c -o f_fw.o f_fw.c In file included from ../shared/memutil.h:13, from util.h:14, from f_fw.c:13: /usr/include/sys/types.h:46: error: conflicting types for loff_t /usr/include/linux/types.h:30: error: previous declaration of loff_t was here /usr/include/sys/types.h:62: error: conflicting types for dev_t /usr/include/linux/types.h:13: error: previous declaration of dev_t was here In file included from /usr/include/sys/types.h:133, from ../shared/memutil.h:13, from util.h:14, from f_fw.c:13: /usr/include/time.h:105: error: conflicting types for timer_t /usr/include/linux/types.h:22: error: previous declaration of timer_t was here In file included from ../shared/memutil.h:13, from util.h:14, from f_fw.c:13: /usr/include/sys/types.h:198: error: conflicting types for int64_t /usr/include/linux/types.h:98: error: previous declaration of int64_t was here /usr/include/sys/types.h:204: error: conflicting types for u_int64_t /usr/include/linux/types.h:97: error: previous declaration of u_int64_t was here In file included from /usr/include/sys/types.h:220, from ../shared/memutil.h:13, from util.h:14, from f_fw.c:13: /usr/include/sys/select.h:78: error: conflicting types for fd_set?-? /usr/include/linux/types.h:12: error: previous declaration of fd_set?-? was here In file included from ../shared/memutil.h:13, from util.h:14, from f_fw.c:13: /usr/include/sys/types.h:235: error: conflicting types for blkcnt_t?-? /usr/include/linux/types.h:114: error: previous declaration of blkcnt_t?-? was here In file included from data.h:14, from location.h:21, from error.h:14, from f_fw.c:14: /usr/include/stdint.h:56: error: conflicting types for uint64_t /usr/include/linux/types.h:96: error: previous declaration of uint64_t was here -------------- If I comment line "#include " in shared/memutil.h (like it is done in http://devel.dob.sk/tcng+esfq/) I get one error only: ---------- DTOPDIR=\"/usr/local/src/tcng-non-patched\" -DDOLLAR -DCONFIRM_EXCEED -c -o f_fw.o f_fw.c In file included from data.h:14, from location.h:21, from error.h:14, from f_fw.c:14: /usr/include/stdint.h:41: error: conflicting types for int64_t /usr/include/linux/types.h:98: error: previous declaration of int64_t was here /usr/include/stdint.h:56: error: conflicting types for uint64_t /usr/include/linux/types.h:96: error: previous declaration of uint64_t was here ---------- Did anybody try compiling it under 64bit? Appreciate any help with this. Thanks Roman From lists at andyfurniss.entadsl.com Fri Jul 27 12:30:13 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Jul 27 12:30:24 2007 Subject: [LARTC] about default filter command In-Reply-To: <5C822E76-E686-499C-B408-90EF00C1494C@ulb.ac.be> References: <5C822E76-E686-499C-B408-90EF00C1494C@ulb.ac.be> Message-ID: <46A9C935.8020602@andyfurniss.entadsl.com> Vincent Dautremont wrote: > # tc filter add dev eth0 protocol ip parent 10: prio 2 flowid 10:2 > > just give me the error: "Unknown filter flowid, hence option 1:2 is > unparsable" I am not sure if that ever worked or not - I use tc filter add dev eth0 protocol ip parent 10: prio 2 u32 match u32 0 0 flowid 10:2 which should catch all unclassified ip traffic. When you put prio on root there is often a further buffer that has to fill before anything happens. Also arp goes to 1:2 unless you filter it elsewhere. Andy. From womking at gmail.com Mon Jul 30 11:30:22 2007 From: womking at gmail.com (=?GB2312?B?zuLD973y?=) Date: Mon Jul 30 11:30:48 2007 Subject: [LARTC] tc filter not work, why? In-Reply-To: <46AD859C.8070209@oldum.net> References: <46A8736E.3070208@oldum.net> <46AD859C.8070209@oldum.net> Message-ID: aGVsbG8gTmlrb2xheSBLaWNodWtvdiwKClRoYW5rIHlvdSBmb3IgeW91ciBoZWxwLCBJIGhhdmUg Zml4ZWQgdGhlIHByb2JsZW0gbm93LgoKSSdtIG5vdCB1c2luZyB0aGUgdGMgaW4gYSBjb21wdXRl ciwgSSBwb3J0IHRoZSB0YyB0byBhIGVtYmVkZGVkCnN5c3RlbSwgYSByb3V0ZXIgcnVuaW5nIGxp bnV4LCBhbmQgSSB3YW50IHRvIGNvbnRyb2wgdGhlIHRyYWZmaWMgb24KTEFOLCBhbmQgdGhlIFdB TiBpcyBjb25ubmVjdCB0byB0aGUgSW50ZXJuZXQgYnkgUFBQb0UuCgpUb2RheSBJIGRlYnVnZ2Vk IGluIHRoZSBsaW51eCBuZXQvc2NoZWQvIGNvZGUgYW5kIGZvdW5kIGEgYnVnIGluIHRoZQppbmNs dWRlL25ldC9wa3RfY2xzLmgtPnRjX2NsYXNzaWZ5KCkuCgp3aGVuIEkgdXNlIFBQUG9FIHRvIGFj Y2VzcyBJbnRlcm5ldCBieSBXQU4sIHRoZSBza2ItPnByb3RvY29sICBpcwoweDg4NjQgd2hpY2gg aXMgbWVhbnMgYSAgUFBQb0Ugc2Vzc2lvbiBwYWNrZXQsIHNvIGl0IGRvc2Ugbm90IG1hdGNoCnRo ZSBwcm90b2NvbCAgaXAgd2hpY2ggZ2l2ZW4gaW4gdGhlIGZpbHRlciwgIGFuZCBhbGwgdGhlICBw YWNrZXRzIHdpbGwKbm90IGJ5IGNsYXNzaWZpZWQgYnkgdGhlIGZpbHRlci4KCgoKT24gNy8zMC8w NywgTmlrb2xheSBLaWNodWtvdiA8aGlqYWNrZXJAb2xkdW0ubmV0PiB3cm90ZToKPiBIZWxsbyDO 4sP3vfIsCj4gSSBjYW5ub3QgY2xlYXJseSB1bmRlcnN0YW5kIHRoZSB3aG9sZSBzY2VuYXJpby4K Pgo+IE5vcm1hbGx5IG9uIHlvdXIgcm91dGVyIGJveCB5b3UgaGF2ZSAyIGludGVyZmFjZXM6Cj4g ZXRoMCBhbmQgZXRoMSBmb3IgZXhhbXBsZQo+Cj4gTGV0IG1lIGtub3cgd2hpY2ggaXMgY29ubmVj dGVkIHRvIHlvdXIgTEFOIGFuZCB3aGljaCB0byB5b3VyIFdBTiBhbmQKPiB3aGljaCB3YXkgeW91 IHdhbnQgdG8gbGltaXQgcGFja2V0cy4KPgo+IENoZWVycywKPiAtTmlrCj4KPiDO4sP3vfIgd3Jv dGU6Cj4gPiB0aGFua3MgTmlrb2xheSAsCj4gPgo+ID4gSW4gdGhlIGZpbHRlciBzcmMgbWVhbnMg bGltaXQgdGhlIHVwIHNwZWVkIG9uIFdBTiBpbnRlcmZhY2UsIEkgd2FudCB0bwo+ID4gbGltaXQg dGhlIGRvd24gc3BlZWQsIHNvIGl0IHNob3VsZCB1cyB1MzIgdG8gbWF0Y2ggdGhlIGRzdCBpcCBh ZGRyZXNzLgo+ID4gQmVzaWRlcywgSSB0cmllZCBzcmMsIGl0IGRpZG4ndCB3b3JrIHRvby4KPiA+ Cj4gPiBPbiA3LzI2LzA3LCBOaWtvbGF5IEtpY2h1a292IDxoaWphY2tlckBvbGR1bS5uZXQ+IHdy b3RlOgo+ID4+IEhlbGxvIM7iw/e98iwKPiA+Pgo+ID4+IE1heWJlIGluIHlvdXIgZmlsdGVyIHN0 YXRlbWVudCB5b3Ugc2hvdWxkIHVzZSBzcmMgcmF0aGVyIHRoYW4gZHN0PyBJdCBpcwo+ID4+IG5v dCBjbGVhciB3aGF0IGludGVyZmFjZSBpcyBjb25uZWN0ZWQgdG8gd2hhdCBob3N0cy4KPiA+Pgo+ ID4+IEhUSCwKPiA+PiAtTmlrCj4gPj4KPiA+PiDO4sP3vfIgd3JvdGU6Cj4gPj4gPiBJIHRyeSB0 byB1c2UgdGMgb24gbWlwcyB3aXRoIGxpbnV4LTIuNC4xOCBidXQgdGhlIHUzMiBmaWx0ZXIgZG9z bid0Cj4gPj4gd29yawo+ID4+ID4KPiA+PiA+IEkgYWRkZWQgaHRiIHFkaXNjIHRvIGxpbnV4LTIu NC4xOCBhbmQgdXNlIGl0IHRvIGxpbWl0IHRoZSBzcGVlZCBpbgo+ID4+ID4gTEFOLCBpdCBvbmx5 IHdvcmsgd2VsbCBvbiB0aGUgZGVmYXVsdCBjbGFzcywgZm9yIGV4YW1wbGUKPiA+PiA+Cj4gPj4g PiB0YyBxZGlzYyBhZGQgZGV2IGV0aDAgcm9vdCBoYW5kbGUgMTogaHRiIGRlZmF1bHQgMTAKPiA+ PiA+IHRjIGNsYXNzIGFkZCBkZXYgZXRoMCBwYXJlbnQgMTowIGNsYXNzaWQgMToxIGh0YiByYXRl IDIwMDBrYml0Cj4gPj4gPiB0YyBjbGFzcyBhZGQgZGV2IGV0aDAgcGFyZW50IDE6MSBjbGFzc2lk IDE6MTAgaHRiIHJhdGUgNTAwa2JpdCBjZWlsCj4gPj4gNTAwa2JpdAo+ID4+ID4gdGMgY2Fsc3Mg YWRkIGRldiBldGgwIHBhcmVudCAxOjEgY2xhc3NpZCAxOjExIGh0YiByYXRlIDMwMGtiaXQgY2Vp bAo+ID4+IDMwMGtiaXQKPiA+PiA+IHRjIGZpbHRlciBhZGQgZGV2IGV0aDAgcHJvdG9jb2wgaXAg dTMyIG1hdGNoIGlwIGRzdCAxOTIuMTY4LjE4LjEwMAo+ID4+ID4gZmxvd2lkIDE6MTEKPiA+PiA+ Cj4gPj4gPiB0aGUgaG9zdCAxOTIuMTY4LjE4LjEwMCBoYXZlIGEgc3BlZWQgb2YgNTAwa2JpdCBy YXRoZXIgdGhhbiAzMDBrYml0Lgo+ID4+ID4KPiA+PiA+IGlmIEkgZG9uJ3Qgc2V0IHRoZSBkZWZh dWx0IDEwIGNsYXNzLCBhbGwgdGhpcyBkb3NuJ3QgaGF2ZSBhbnkgZWZmZWN0Lgo+ID4+ID4KPiA+ PiA+IHdoeT8KPiA+PiA+Cj4gPj4gPiB0aGFuayB5b3UuCj4gPj4gPiBfX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwo+ID4+ID4gTEFSVEMgbWFpbGluZyBsaXN0 Cj4gPj4gPiBMQVJUQ0BtYWlsbWFuLmRzOWEubmwKPiA+PiA+IGh0dHA6Ly9tYWlsbWFuLmRzOWEu bmwvY2dpLWJpbi9tYWlsbWFuL2xpc3RpbmZvL2xhcnRjCj4gPj4KPgo= From jonathan.gazeley at bristol.ac.uk Mon Jul 30 13:40:00 2007 From: jonathan.gazeley at bristol.ac.uk (Jonathan Gazeley) Date: Mon Jul 30 13:40:07 2007 Subject: [LARTC] tc n00b Message-ID: <46ADCE10.6080906@bristol.ac.uk> Hi everyone, I'm new to tc but I need to use it to set up shaping on a new NAT box. In short: Each user must have their upload limited to 128kbit and downlink limited to 256kbit. Global bandwidth to be limited to 100Mbit Interactive packets to have higher priority 200+ users, so need to match packets fast So far I have managed to get the download limits working. However I need to shape on both interfaces so I recycled the same code to apply to uploads but it didn't work and I can't figure out why - I find the syntax confusing. Can anyone suggest the easiest way to implement the above goals? As an aside, is anyone aware if there is a web interface for tc available? Many thanks, Jonathan ------------------------ Jonathan Gazeley Wireless & VPN Team Information Systems & Computing University of Bristol ------------------------ From ams at toroid.org Mon Jul 30 14:14:32 2007 From: ams at toroid.org (Abhijit Menon-Sen) Date: Mon Jul 30 14:14:37 2007 Subject: [LARTC] Re: tc n00b In-Reply-To: <46ADCE10.6080906@bristol.ac.uk> References: <46ADCE10.6080906@bristol.ac.uk> Message-ID: <20070730121432.GB30519@toroid.org> Hello Jonathan. At 2007-07-30 12:40:00 +0100, jonathan.gazeley@bristol.ac.uk wrote: > > So far I have managed to get the download limits working. However I > need to shape on both interfaces so I recycled the same code to apply > to uploads but it didn't work and I can't figure out why That's not really enough information to try to debug your problem, but I can think of one problem you might encounter. Since you're doing NAT for your clients, you should be aware that the source address is rewritten (i.e. in nat/POSTROUTING) _before_ egress QoS processing. So if you're trying to classify outgoing traffic based on their source IP address, it won't work. One alternative is to mark packets from the internal network (i.e. use -J MARK --set-mark N in mangle/PREROUTING), and write a filter on the outgoing interface that assigns traffic to classes based on how it's marked (u32 match mark ...). (If you want more details, ask.) (If anyone has other suggestions, I would be interested in them too.) -- ams From jonathan.gazeley at bristol.ac.uk Mon Jul 30 15:16:22 2007 From: jonathan.gazeley at bristol.ac.uk (Jonathan Gazeley) Date: Mon Jul 30 15:16:28 2007 Subject: [LARTC] Re: tc n00b In-Reply-To: <20070730121432.GB30519@toroid.org> References: <46ADCE10.6080906@bristol.ac.uk> <20070730121432.GB30519@toroid.org> Message-ID: <46ADE4A6.1020808@bristol.ac.uk> Hi Abhijit, Thanks a lot for your advice - I didn't realise that the source IP was re-written before the traffic was shaped. I have attached the script I wrote. As I said before, the download limit does successfully work and each client (I am using 2 test clients) gets 512kbit each. However the upload is still unlimited. But I don't believe this is currently due to the source IP being re-written - tc itself doesn't like my commands. They were literally copied and pasted from the download commands and altered as appropriate, as you see in the script. When I run this script, for each iteration of lines 48-49 produces the following error: 137.222.235.125 Error: Qdisc "tbf" is classless. Error: Qdisc "1:" is classless. Unknown filter "1:", hence option "protocol" is unparsable I don't really understand that error - especially as the identical code does work for the download limits. If you can offer any more help, I'd be most grateful. Cheers, Jonathan Abhijit Menon-Sen wrote: > Hello Jonathan. > > At 2007-07-30 12:40:00 +0100, jonathan.gazeley@bristol.ac.uk wrote: > >> So far I have managed to get the download limits working. However I >> need to shape on both interfaces so I recycled the same code to apply >> to uploads but it didn't work and I can't figure out why >> > > That's not really enough information to try to debug your problem, but I > can think of one problem you might encounter. Since you're doing NAT for > your clients, you should be aware that the source address is rewritten > (i.e. in nat/POSTROUTING) _before_ egress QoS processing. > > So if you're trying to classify outgoing traffic based on their source > IP address, it won't work. > > One alternative is to mark packets from the internal network (i.e. use > -J MARK --set-mark N in mangle/PREROUTING), and write a filter on the > outgoing interface that assigns traffic to classes based on how it's > marked (u32 match mark ...). (If you want more details, ask.) > > (If anyone has other suggestions, I would be interested in them too.) > > -- ams > -- ------------------------ Jonathan Gazeley Wireless & VPN Team Information Systems & Computing University of Bristol ------------------------ -------------- next part -------------- #!/bin/sh ## JONATHAN'S TC SCRIPT # LAN interfaces LAN=eth0 WAN=eth1 # Maximum global uplink and downlink in mbit/s GLOBAL_DOWN=100 GLOBAL_UP=100 # Maximum per-user download & upload speed in kbit/s DOWNLINK=512 UPLINK=256 # Subnets to be stamped down upon, delimited by spaces SUBNETS='235' # IP range in each subnet LOW_IP=1 HIGH_IP=125 #-----------------Don't mess with stuff below---------------| #-----------------this line or you'll break it--------------| # Flush existing rules tc qdisc del dev $LAN root tc qdisc del dev $WAN root # Create root class for 100mbit interface - total traffic can't exceed this tc qdisc add dev $LAN root handle 1: cbq avpkt 1000 bandwidth ${GLOBAL_DOWN}mbit tc qdisc add dev $WAN root handle 1: cbq avpkt 1000 bandwidth ${GLOBAL_UP}mbit # Set useful counters jcount=1 icount=1 total=0 # Apply rules for all included subnets for j in $SUBNETS do for i in `seq $LOW_IP $HIGH_IP` do total=$((total+1)) echo 137.222.$j.$i tc class add dev $LAN parent 1: classid 1:$total tbf rate ${DOWNLINK}kbit allot 1500 prio 5 bounded isolated tc filter add dev $LAN parent 1: protocol ip prio 16 u32 match ip dst 137.222.$j.$i flowid 1:$total tc class add dev $wAN parent 1: classid 1:$total tbf rate ${UPLINK}kbit allot 1500 prio 5 bounded isolated tc filter add dev $wAN parent 1: protocol ip prio 16 u32 match ip src 137.222.$j.$i flowid 1:$total i=i+1 done j=j+1 done echo echo $total miscreants were stamped down upon. Good work Pokey! echo Their IP addresses were in the following ranges: for j in $SUBNETS do echo 137.222.$j.$LOW_IP-$HIGH_IP done From ams at toroid.org Mon Jul 30 15:26:41 2007 From: ams at toroid.org (Abhijit Menon-Sen) Date: Mon Jul 30 15:26:45 2007 Subject: [LARTC] Re: tc n00b In-Reply-To: <46ADE4A6.1020808@bristol.ac.uk> References: <46ADCE10.6080906@bristol.ac.uk> <20070730121432.GB30519@toroid.org> <46ADE4A6.1020808@bristol.ac.uk> Message-ID: <20070730132641.GA4732@toroid.org> At 2007-07-30 14:16:22 +0100, jonathan.gazeley@bristol.ac.uk wrote: > > I don't really understand that error - especially as the identical > code does work for the download limits. I think it's only that you define $WAN and later use $wAN, so tc thinks it's missing an argument, and gets confused. -- ams From jonathan.gazeley at bristol.ac.uk Mon Jul 30 15:36:03 2007 From: jonathan.gazeley at bristol.ac.uk (Jonathan Gazeley) Date: Mon Jul 30 15:36:09 2007 Subject: [LARTC] Re: tc n00b In-Reply-To: <20070730132641.GA4732@toroid.org> References: <46ADCE10.6080906@bristol.ac.uk> <20070730121432.GB30519@toroid.org> <46ADE4A6.1020808@bristol.ac.uk> <20070730132641.GA4732@toroid.org> Message-ID: <46ADE943.5090504@bristol.ac.uk> Eck, how embarrassing. Thanks for that - now fixed. I still get errors though: 137.222.235.125 Error: Qdisc "tbf" is classless. Error: Qdisc "tbf" is classless. Any ideas what's broken? I'm not so hot on classful queueing disciplines! Cheers, Jonathan ------------------------ Jonathan Gazeley Wireless & VPN Team Information Systems & Computing University of Bristol ------------------------ Abhijit Menon-Sen wrote: > At 2007-07-30 14:16:22 +0100, jonathan.gazeley@bristol.ac.uk wrote: > >> I don't really understand that error - especially as the identical >> code does work for the download limits. >> > > I think it's only that you define $WAN and later use $wAN, so tc thinks > it's missing an argument, and gets confused. > > -- ams From ams at toroid.org Mon Jul 30 15:43:55 2007 From: ams at toroid.org (Abhijit Menon-Sen) Date: Mon Jul 30 15:44:01 2007 Subject: [LARTC] Re: tc n00b In-Reply-To: <46ADE943.5090504@bristol.ac.uk> References: <46ADCE10.6080906@bristol.ac.uk> <20070730121432.GB30519@toroid.org> <46ADE4A6.1020808@bristol.ac.uk> <20070730132641.GA4732@toroid.org> <46ADE943.5090504@bristol.ac.uk> Message-ID: <20070730134354.GA4889@toroid.org> At 2007-07-30 14:36:03 +0100, jonathan.gazeley@bristol.ac.uk wrote: > > 137.222.235.125 > Error: Qdisc "tbf" is classless. > Error: Qdisc "tbf" is classless. One of these is from the $LAN line, and one from the $WAN one, right? > Any ideas what's broken? I'm not so hot on classful queueing > disciplines! It's not really clear to me what you want, but I'm guessing you want to add a CBQ (not TBF) class, and then add a TBF qdisc (with tc qdisc add) under that class. But I don't know why you would want to do that. (I'd recommend using HTB instead of CBQ, and attaching a prio qdisc to each HTB class.) -- ams From jonathan.gazeley at bristol.ac.uk Mon Jul 30 15:58:00 2007 From: jonathan.gazeley at bristol.ac.uk (Jonathan Gazeley) Date: Mon Jul 30 15:58:08 2007 Subject: [LARTC] Re: tc n00b In-Reply-To: <20070730134354.GA4889@toroid.org> References: <46ADCE10.6080906@bristol.ac.uk> <20070730121432.GB30519@toroid.org> <46ADE4A6.1020808@bristol.ac.uk> <20070730132641.GA4732@toroid.org> <46ADE943.5090504@bristol.ac.uk> <20070730134354.GA4889@toroid.org> Message-ID: <46ADEE68.70501@bristol.ac.uk> As far as I'm concerned, it doesn't matter what I use, so long as I get the result - I just need to have each user alloted a certain upload and download speed. Nothing too fancy. I tried switching to HTB. I amended my commands but I don't know if my kernel supports it. I've got CentOS 5.0 with kernel 2.6.18 but I now get errors like these: 137.222.235.125 RTNETLINK answers: No such file or directory RTNETLINK answers: Invalid argument We have an error talking to the kernel RTNETLINK answers: No such file or directory RTNETLINK answers: Invalid argument We have an error talking to the kernel Any clues? (Sorry to ask so many favours, and thanks for your time) Jonathan Abhijit Menon-Sen wrote: > At 2007-07-30 14:36:03 +0100, jonathan.gazeley@bristol.ac.uk wrote: > >> 137.222.235.125 >> Error: Qdisc "tbf" is classless. >> Error: Qdisc "tbf" is classless. >> > > One of these is from the $LAN line, and one from the $WAN one, right? > > >> Any ideas what's broken? I'm not so hot on classful queueing >> disciplines! >> > > It's not really clear to me what you want, but I'm guessing you want to > add a CBQ (not TBF) class, and then add a TBF qdisc (with tc qdisc add) > under that class. But I don't know why you would want to do that. > > (I'd recommend using HTB instead of CBQ, and attaching a prio qdisc to > each HTB class.) > > -- ams > -- ------------------------ Jonathan Gazeley Wireless & VPN Team Information Systems & Computing University of Bristol ------------------------ From lau at gamesyndicate.nl Mon Jul 30 16:15:48 2007 From: lau at gamesyndicate.nl (Laurence vd Krieken) Date: Mon Jul 30 16:08:10 2007 Subject: [LARTC] bonding of 2 lines Message-ID: <253C3920940FF849ACA6FAFE18044BDA180645@tgs-mail.gamesyndicate.nl> Dear List, Another noob question today! I've been using iproute2 for a long time now to manage bandwidth and directing traffic over multiple interfaces based on source routing. I am working on a test-project at the moment, in witch I want to actually bundle ('trunk') some connections. In the LARTC-manual I found the chapter about TEQL (see chapter 10). The situation in that example is too link 2 networks. I need to link a network to 1 remote gateway. The problem I can't solve on my own is that you can only add physical devices to the teql0 qdisc. Therefore the following won't work: +--------------+ eth1 +--------+ +----------+ | |========== | | eth0 | | 'network 1' ----| BETAGATE | | INET | ======== | ZEUS | | |========== | | | | +--------------+ eth2 +--------+ +----------+ Zeus is connected to a 1GB/s internet connection. So the bottleneck won't be the eth0 device on Zeus. The main goal is that 'network 1' can use the full network speed (4mbit/s up/down) of both connections. (2x 2mbit SDSL) At the moment I have eth1 and eth2 of Betagate connected to eth0 of Zeus trough 2 GRE tunnels. With the following ip's: eth1 betagate (10.0.1.1) > eth0 zeus (10.0.1.2) eth2 betagate (10.0.1.4) > eth0 zeus (10.0.1.5) I could really use your advice on how to be able to get this done. Thank you in advance, Lau. From Ralf-Lists at ralfgross.de Mon Jul 30 16:10:10 2007 From: Ralf-Lists at ralfgross.de (Ralf Gross) Date: Mon Jul 30 16:10:39 2007 Subject: [LARTC] bandwidth aggregation between 2 hosts in the same subnet Message-ID: <20070730141010.GA27667@p15145560.pureserver.info> Hi, I'm trying to increase the bandwidth between two hosts (backup). Both hosts are in the same /24 subnet and each of them is connected to a Cisco switch by 2 GbE interfaces (intel e1000). The switches/host are located in different building which are connected by 3 x GbE. building A | building B | -------- ----- | ----- -------- | |eth2,10.60.1.241 | | | | | 10.60.1.244,eth2| | | host |-------------------| S |-|-| S |------------------| host | | A | | W |-|-| W | | B | | |eth3,10.60.1.240 | |-|-| | 10.60.1.243,eth3| | | |-------------------| | | | |------------------| | -------- ----- | ----- -------- | My goal is to increase the bandwidth for a single tcp session between the two hosts for a backup job (per packet round robin?), not for multiple connections between many hosts. I know that I won't get 2 x 115Mb/s because of packet reordering, but 20-30% more that a single connection would be ok. I followed different HowTOs http://www.lartc.org/howto/lartc.rpdb.multiple-links.html#AEN298 http://lartc.org/howto/lartc.loadshare.html or something like: ip route...equalize via... but I never got a higher transfer rate between the two hosts than max 115Mb/s with benchmarks like netpipe or netio. I guess the route cache might be a problem here, or maybe I'm missing some other important part. I'm running Debian Etch with Kernel 2.6.21 from backports.org. Any ideas what I'm missing, or if it's possible at all? Thanks, Ralf From b42-ml at srck.net Mon Jul 30 16:10:28 2007 From: b42-ml at srck.net (Martin Milata) Date: Mon Jul 30 16:12:53 2007 Subject: [LARTC] Re: tc n00b In-Reply-To: <46ADEE68.70501@bristol.ac.uk> References: <46ADCE10.6080906@bristol.ac.uk> <20070730121432.GB30519@toroid.org> <46ADE4A6.1020808@bristol.ac.uk> <20070730132641.GA4732@toroid.org> <46ADE943.5090504@bristol.ac.uk> <20070730134354.GA4889@toroid.org> <46ADEE68.70501@bristol.ac.uk> Message-ID: <20070730141028.GF20842@nyx> On Mon, Jul 30, 2007 at 02:58:00PM +0100, Jonathan Gazeley wrote: [...] > 137.222.235.125 > RTNETLINK answers: No such file or directory > RTNETLINK answers: Invalid argument > We have an error talking to the kernel > RTNETLINK answers: No such file or directory > RTNETLINK answers: Invalid argument > We have an error talking to the kernel [...] Hint: If you run your script as "bash -x script_name" (or use #!/bin/sh -x as shabang), you will be able to see which exact command caused the error message. Regards, -MM From andreas at stapelspeicher.org Mon Jul 30 20:01:52 2007 From: andreas at stapelspeicher.org (Andreas Mueller) Date: Mon Jul 30 20:01:28 2007 Subject: [LARTC] help compiling tcng on 64bit In-Reply-To: <013f01c7d00f$4e4cc790$eae656b0$@net> References: <013f01c7d00f$4e4cc790$eae656b0$@net> Message-ID: <20070730180152.GA8399@h1040211.serverkompetenz.net> Hi Roman, try a patch from a distributor, e.g. Debian (http://ftp.debian.org/debian/pool/main/t/tcng/tcng_10b-1.diff.gz). Andreas Roman Ledovskiy wrote: > Hi, > > Trying to compile tcng on 64bit server (centos-5 64bit), I'm getting: > -------------- > cc -g -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations > -I../shared -DVERSION=\"`cat ../VERSION`\" > -DTOPDIR=\"/usr/local/src/tcng-non-patched\" -DDOLLAR -DCONFIRM_EXCEED -c > -o f_fw.o f_fw.c > In file included from ../shared/memutil.h:13, > from util.h:14, > from f_fw.c:13: > /usr/include/sys/types.h:46: error: conflicting types for loff_t > /usr/include/linux/types.h:30: error: previous declaration of loff_t was > here > /usr/include/sys/types.h:62: error: conflicting types for dev_t > /usr/include/linux/types.h:13: error: previous declaration of dev_t was here > In file included from /usr/include/sys/types.h:133, > from ../shared/memutil.h:13, > from util.h:14, > from f_fw.c:13: > /usr/include/time.h:105: error: conflicting types for timer_t > /usr/include/linux/types.h:22: error: previous declaration of timer_t was > here > In file included from ../shared/memutil.h:13, > from util.h:14, > from f_fw.c:13: > /usr/include/sys/types.h:198: error: conflicting types for int64_t > /usr/include/linux/types.h:98: error: previous declaration of int64_t was > here > /usr/include/sys/types.h:204: error: conflicting types for u_int64_t > /usr/include/linux/types.h:97: error: previous declaration of u_int64_t was > here > In file included from /usr/include/sys/types.h:220, > from ../shared/memutil.h:13, > from util.h:14, > from f_fw.c:13: > /usr/include/sys/select.h:78: error: conflicting types for fd_set?-? > /usr/include/linux/types.h:12: error: previous declaration of fd_set?-? was > here > In file included from ../shared/memutil.h:13, > from util.h:14, > from f_fw.c:13: > /usr/include/sys/types.h:235: error: conflicting types for blkcnt_t?-? > /usr/include/linux/types.h:114: error: previous declaration of blkcnt_t?-? > was here > In file included from data.h:14, > from location.h:21, > from error.h:14, > from f_fw.c:14: > /usr/include/stdint.h:56: error: conflicting types for uint64_t > /usr/include/linux/types.h:96: error: previous declaration of uint64_t was > here > -------------- > > If I comment line "#include " in shared/memutil.h (like it is > done in http://devel.dob.sk/tcng+esfq/) > I get one error only: > ---------- > DTOPDIR=\"/usr/local/src/tcng-non-patched\" -DDOLLAR -DCONFIRM_EXCEED -c > -o f_fw.o f_fw.c > In file included from data.h:14, > from location.h:21, > from error.h:14, > from f_fw.c:14: > /usr/include/stdint.h:41: error: conflicting types for int64_t > /usr/include/linux/types.h:98: error: previous declaration of int64_t was > here > /usr/include/stdint.h:56: error: conflicting types for uint64_t > /usr/include/linux/types.h:96: error: previous declaration of uint64_t was > here > ---------- > > > Did anybody try compiling it under 64bit? > > Appreciate any help with this. > > > Thanks > Roman > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From gtaylor at riverviewtech.net Mon Jul 30 20:31:33 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Mon Jul 30 20:29:12 2007 Subject: [LARTC] bonding of 2 lines In-Reply-To: <253C3920940FF849ACA6FAFE18044BDA180645@tgs-mail.gamesyndicate.nl> References: <253C3920940FF849ACA6FAFE18044BDA180645@tgs-mail.gamesyndicate.nl> Message-ID: <46AE2E85.1070001@riverviewtech.net> On 07/30/07 09:15, Laurence vd Krieken wrote: > I am working on a test-project at the moment, in witch I want to > actually bundle ('trunk') some connections. In the LARTC-manual I > found the chapter about TEQL (see chapter 10). The situation in that > example is too link 2 networks. I need to link a network to 1 remote > gateway. I don't think you will get Teql to do what you are wanting it to do. It is my understanding that Teql is meant to load balance across serial links. > The main goal is that 'network 1' can use the full network speed > (4mbit/s up/down) of both connections. (2x 2mbit SDSL) The first thing that comes to mind is PPP Multi-Linking. Establish an L2TP / PPtP tunnel between your to end nodes and then have PPP bond the two tunnels together. This use to be called "Shotgunning" with dial up and T1s. There is however no reason why it can not be done with VPNs. The other (preferred) option that comes to mind would be Equal Cost Multi Path routing (and the associated config(s) and / or patch(s)). Seeing as how you do have two equal cost routes that you want to spread traffic across, this should be possible. However getting it set up right will be a bit tricky. Grant. . . . From gtaylor at riverviewtech.net Mon Jul 30 20:44:07 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Mon Jul 30 20:41:42 2007 Subject: [LARTC] bandwidth aggregation between 2 hosts in the same subnet In-Reply-To: <20070730141010.GA27667@p15145560.pureserver.info> References: <20070730141010.GA27667@p15145560.pureserver.info> Message-ID: <46AE3177.3030602@riverviewtech.net> On 07/30/07 09:10, Ralf Gross wrote: > I'm trying to increase the bandwidth between two hosts (backup). Both > hosts are in the same /24 subnet and each of them is connected to a > Cisco switch by 2 GbE interfaces (intel e1000). The switches/host are > located in different building which are connected by 3 x GbE. Ok, this is simple enough. > My goal is to increase the bandwidth for a single tcp session between > the two hosts for a backup job (per packet round robin?), not for > multiple connections between many hosts. I know that I won't get 2 x > 115Mb/s because of packet reordering, but 20-30% more that a single > connection would be ok. *nod* > Any ideas what I'm missing, or if it's possible at all? You are barking up the wrong tree, or at least the wrong layer. If you have any control of the switches in each building, or can have someone make changes to them for you. Bond the two connections together to make one logical larger connection. Cisco calls this "EtherChannel" and Linux calls this "Bonding". In the long run you will end up with two raw ethernet devices enslaved in to one bond0 interface. These two bonded / etherchannel interfaces will have very close to 2 Gbps worth of speed. Do this on the lower OSI Layer 2 rather than trying (and failing) to do it on the higher OSI Layer 3 where you are doing it presently. Grant. . . . From tami at disconnected.de Mon Jul 30 20:46:05 2007 From: tami at disconnected.de (Paul Zirnik) Date: Mon Jul 30 20:46:20 2007 Subject: [LARTC] bandwidth aggregation between 2 hosts in the same subnet In-Reply-To: <20070730141010.GA27667@p15145560.pureserver.info> References: <20070730141010.GA27667@p15145560.pureserver.info> Message-ID: <200707302046.06292.tami@disconnected.de> On Monday 30 July 2007 16:10, Ralf Gross wrote: > > My goal is to increase the bandwidth for a single tcp session between > the two hosts for a backup job (per packet round robin?), not for > multiple connections between many hosts. I know that I won't get 2 x > 115Mb/s because of packet reordering, but 20-30% more that a single > connection would be ok. > > I followed different HowTOs > > http://www.lartc.org/howto/lartc.rpdb.multiple-links.html#AEN298 > http://lartc.org/howto/lartc.loadshare.html > or something like: ip route...equalize via... > > but I never got a higher transfer rate between the two hosts than > max 115Mb/s with benchmarks like netpipe or netio. If you have different switches for each line i suggest the use of "bonding" in balance-round-robin mode. +-------+ eth0 +--------+ eth0 +------+ | Host |--------|switch 1|--------| Host | | | +--------+ | | | A | eth1 +--------+ eth1 | B | | |--------|switch 2|--------| | +-------+ +--------+ +------+ See /usr/src/linux/Documentation/networking/bonding.txt regards, Paul From Ralf-Lists at ralfgross.de Mon Jul 30 22:12:32 2007 From: Ralf-Lists at ralfgross.de (Ralf Gross) Date: Mon Jul 30 22:13:59 2007 Subject: [LARTC] bandwidth aggregation between 2 hosts in the same subnet In-Reply-To: <46AE3177.3030602@riverviewtech.net> References: <20070730141010.GA27667@p15145560.pureserver.info> <46AE3177.3030602@riverviewtech.net> Message-ID: <20070730201232.GB27667@p15145560.pureserver.info> Grant Taylor schrieb: > On 07/30/07 09:10, Ralf Gross wrote: > >I'm trying to increase the bandwidth between two hosts (backup). Both > >hosts are in the same /24 subnet and each of them is connected to a > >Cisco switch by 2 GbE interfaces (intel e1000). The switches/host are > >located in different building which are connected by 3 x GbE. > > Ok, this is simple enough. > > >My goal is to increase the bandwidth for a single tcp session between > >the two hosts for a backup job (per packet round robin?), not for > >multiple connections between many hosts. I know that I won't get 2 x > >115Mb/s because of packet reordering, but 20-30% more that a single > >connection would be ok. > > *nod* > > >Any ideas what I'm missing, or if it's possible at all? > > You are barking up the wrong tree, or at least the wrong layer. If you > have any control of the switches in each building, or can have someone > make changes to them for you. Bond the two connections together to make > one logical larger connection. Cisco calls this "EtherChannel" and > Linux calls this "Bonding". I've tried bonding before. But this didn't work either because the cisco switch decides on a src/dst mac/ip hash which port of the port channel will be used. But in my case the hash is always the same because between host A and host B. Thus always the same interface was used. > In the long run you will end up with two raw ethernet devices enslaved > in to one bond0 interface. These two bonded / etherchannel interfaces > will have very close to 2 Gbps worth of speed. But not between host A and host B. I've gone through this a while ago, everyone told me than that I've to solve the problem on L3 ;) > Do this on the lower OSI Layer 2 rather than trying (and failing) to do > it on the higher OSI Layer 3 where you are doing it presently. I think it's not possible with the Cisco switches we use here to increase the bandwidth between 2 hosts on L2. Ralf From Ralf-Lists at ralfgross.de Mon Jul 30 22:48:01 2007 From: Ralf-Lists at ralfgross.de (Ralf Gross) Date: Mon Jul 30 22:48:27 2007 Subject: [LARTC] bandwidth aggregation between 2 hosts in the same subnet In-Reply-To: <200707302046.06292.tami@disconnected.de> References: <20070730141010.GA27667@p15145560.pureserver.info> <200707302046.06292.tami@disconnected.de> Message-ID: <20070730204801.GD27667@p15145560.pureserver.info> Paul Zirnik schrieb: > On Monday 30 July 2007 16:10, Ralf Gross wrote: > > > > My goal is to increase the bandwidth for a single tcp session between > > the two hosts for a backup job (per packet round robin?), not for > > multiple connections between many hosts. I know that I won't get 2 x > > 115Mb/s because of packet reordering, but 20-30% more that a single > > connection would be ok. > > > > I followed different HowTOs > > > > http://www.lartc.org/howto/lartc.rpdb.multiple-links.html#AEN298 > > http://lartc.org/howto/lartc.loadshare.html > > or something like: ip route...equalize via... > > > > but I never got a higher transfer rate between the two hosts than > > max 115Mb/s with benchmarks like netpipe or netio. > > If you have different switches for each line i suggest the use > of "bonding" in balance-round-robin mode. > > +-------+ eth0 +--------+ eth0 +------+ > | Host |--------|switch 1|--------| Host | > | | +--------+ | | > | A | eth1 +--------+ eth1 | B | > | |--------|switch 2|--------| | > +-------+ +--------+ +------+ I tried this setup a while ago. Both hosts were connected to a Cisco switch. On the linux hosts I created bond0 interfaces (round robin) and the switch ports on both switches were configured as Port Channels. +-------+ eth2 +----+ +----+ eth2 +------+ | Host |------ |PC1 | |PC2 | ------| Host | | | |_bond0_| |__ | |_bond0_| | | | A | | |SW1 | |SW1 | | | B | | |------ | | | | ------| | +-------+ eth3 +----+ +----+ eth3 +------+ This didn't increase the transfer rate for a tcp session between the two hosts. Because the mac and ip addresses are the same for the whole tcp session (backup). http://www.cisco.com/warp/public/473/4.html For example, if the traffic on a channel only goes to a single MAC address, use of the destination MAC address results in the choice of the same link in the channel each time. Maybe I'm missing something, but the Cisco people here told me the same. Ralf From gtaylor at riverviewtech.net Mon Jul 30 23:19:12 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Mon Jul 30 23:16:47 2007 Subject: [LARTC] bandwidth aggregation between 2 hosts in the same subnet In-Reply-To: <20070730201232.GB27667@p15145560.pureserver.info> References: <20070730141010.GA27667@p15145560.pureserver.info> <46AE3177.3030602@riverviewtech.net> <20070730201232.GB27667@p15145560.pureserver.info> Message-ID: <46AE55D0.3050005@riverviewtech.net> On 07/30/07 15:12, Ralf Gross wrote: > I've tried bonding before. But this didn't work either because the > cisco switch decides on a src/dst mac/ip hash which port of the port > channel will be used. But in my case the hash is always the same > because between host A and host B. Thus always the same interface was > used. Dough! So the switch is failing you. > But not between host A and host B. I've gone through this a while > ago, everyone told me than that I've to solve the problem on L3 ;) *SIGH* > I think it's not possible with the Cisco switches we use here to > increase the bandwidth between 2 hosts on L2. It sounds like a "per packet" or "per flow" decision that is defaulting to "per flow" for deciding which port on an EtherChannel to use. I'm not that much of a Cisco person so I can't say for sure, but I'd think there would be a setting that could be changed in the switch that would alter this so that you could get an aggregate bandwidth increase. Doing a quick Google search (http://www.google.com/search?hl=en&q=Cisco+CEF&btnG=Google+Search) reminded me that we had to turn on Cisco Express Forwarding (a.k.a. CEF) and set the CEF to be "per packet" rather than "per flow". You might want to do some research on your switches to see if they support CEF or not. If your switches do support it you may want to talk to your switch support staff (if it is not your self) to see if they would consider setting such up. I am presently using CEF between a 3640 and an upstream 7204-ubr to load balance ethernet connections (bridged to SDSL) and am getting an aggregate bandwidth increase in "per packet" fashion. So, this will work between routers and I believe switches that support it. Good luck. Let me know if there is any thing else that I can do to help. Grant. . . . From gtaylor at riverviewtech.net Mon Jul 30 23:22:54 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Mon Jul 30 23:20:38 2007 Subject: [LARTC] bandwidth aggregation between 2 hosts in the same subnet In-Reply-To: <20070730204801.GD27667@p15145560.pureserver.info> References: <20070730141010.GA27667@p15145560.pureserver.info> <200707302046.06292.tami@disconnected.de> <20070730204801.GD27667@p15145560.pureserver.info> Message-ID: <46AE56AE.3070301@riverviewtech.net> On 07/30/07 15:48, Ralf Gross wrote: > I tried this setup a while ago. Both hosts were connected to a Cisco > switch. On the linux hosts I created bond0 interfaces (round robin) > and the switch ports on both switches were configured as Port > Channels. Seeing as how this is a short coming of the switch I don't think that having the Linux box solve this on layer 3 will do any good. Mainly this is because the switch that the Linux box is connected to will still only use one of the ports in the EtherChannel group to send the traffic out, thus yielding a drop in throughput no matter what. In short, I think you are going to have to solve your switch(s) Layer 2 problem before you do any thing else. Sorry. :( Grant. . . . From tami at disconnected.de Tue Jul 31 09:52:33 2007 From: tami at disconnected.de (Paul Zirnik) Date: Tue Jul 31 09:52:47 2007 Subject: [LARTC] bandwidth aggregation between 2 hosts in the same subnet In-Reply-To: <20070730204801.GD27667@p15145560.pureserver.info> References: <20070730141010.GA27667@p15145560.pureserver.info> <200707302046.06292.tami@disconnected.de> <20070730204801.GD27667@p15145560.pureserver.info> Message-ID: <200707310952.33633.tami@disconnected.de> On Monday 30 July 2007 22:48, Ralf Gross wrote: > Paul Zirnik schrieb: > > On Monday 30 July 2007 16:10, Ralf Gross wrote: > > > My goal is to increase the bandwidth for a single tcp session between > > > the two hosts for a backup job (per packet round robin?), not for > > > multiple connections between many hosts. I know that I won't get 2 x > > > 115Mb/s because of packet reordering, but 20-30% more that a single > > > connection would be ok. > > > > > > I followed different HowTOs > > > > > > http://www.lartc.org/howto/lartc.rpdb.multiple-links.html#AEN298 > > > http://lartc.org/howto/lartc.loadshare.html > > > or something like: ip route...equalize via... > > > > > > but I never got a higher transfer rate between the two hosts than > > > max 115Mb/s with benchmarks like netpipe or netio. > > > > If you have different switches for each line i suggest the use > > of "bonding" in balance-round-robin mode. > > > > +-------+ eth0 +--------+ eth0 +------+ > > > > | Host |--------|switch 1|--------| Host | > > | > > | | +--------+ | | > > | > > | A | eth1 +--------+ eth1 | B | > > | > > | |--------|switch 2|--------| | > > > > +-------+ +--------+ +------+ > > I tried this setup a while ago. Both hosts were connected to a Cisco > switch. On the linux hosts I created bond0 interfaces (round robin) > and the switch ports on both switches were configured as Port > Channels. > > +-------+ eth2 +----+ +----+ eth2 +------+ > > | Host |------ |PC1 | |PC2 | ------| Host | > | > | | |_bond0_| |__ | |_bond0_| | | > | > | A | | |SW1 | |SW1 | | | B | > | > | |------ | | | | ------| | > > +-------+ eth3 +----+ +----+ eth3 +------+ > > > This didn't increase the transfer rate for a tcp session between the > two hosts. Because the mac and ip addresses are the same for the whole > tcp session (backup). This is why i sayed you need two different switches. With only one the switch will allways send only to one port, because he knows the MAC address and will not balance traffic on two or more ports with the same MAC address as destination. Etherchannel has no balancing algo it is desinged for one to many connections not for 1 to 1. With two switches this is not true and the traffic will utilize both lines even for a 1 on 1 connection. regards, Paul From hijacker at oldum.net Tue Jul 31 09:59:11 2007 From: hijacker at oldum.net (Nikolay Kichukov) Date: Tue Jul 31 09:59:30 2007 Subject: [LARTC] Re: tc n00b In-Reply-To: <20070730141028.GF20842@nyx> References: <46ADCE10.6080906@bristol.ac.uk> <20070730121432.GB30519@toroid.org> <46ADE4A6.1020808@bristol.ac.uk> <20070730132641.GA4732@toroid.org> <46ADE943.5090504@bristol.ac.uk> <20070730134354.GA4889@toroid.org> <46ADEE68.70501@bristol.ac.uk> <20070730141028.GF20842@nyx> Message-ID: <46AEEBCF.70700@oldum.net> Hello, You need to recompile your kernel and include the appropriate modules for htb to work. The other idea I have is to use policer to filter how much traffic PCs in the LAN upload. This is done on the LAN interface. Eliminates the need to mark packets, etc. You just drop all the packets that are coming in too fast. And presumably your LAN can do at least 100mbps, so the delay of packet retransmission can be neglected. HTH, -Nikolay Martin Milata wrote: > On Mon, Jul 30, 2007 at 02:58:00PM +0100, Jonathan Gazeley wrote: > [...] >> 137.222.235.125 >> RTNETLINK answers: No such file or directory >> RTNETLINK answers: Invalid argument >> We have an error talking to the kernel >> RTNETLINK answers: No such file or directory >> RTNETLINK answers: Invalid argument >> We have an error talking to the kernel > [...] > > Hint: If you run your script as "bash -x script_name" (or use #!/bin/sh -x > as shabang), you will be able to see which exact command caused the error > message. > > Regards, > -MM > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From Ralf-Lists at ralfgross.de Tue Jul 31 10:05:33 2007 From: Ralf-Lists at ralfgross.de (Ralf Gross) Date: Tue Jul 31 10:05:56 2007 Subject: [LARTC] bandwidth aggregation between 2 hosts in the same subnet In-Reply-To: <200707310952.33633.tami@disconnected.de> References: <20070730141010.GA27667@p15145560.pureserver.info> <200707302046.06292.tami@disconnected.de> <20070730204801.GD27667@p15145560.pureserver.info> <200707310952.33633.tami@disconnected.de> Message-ID: <20070731080533.GA6008@p15145560.pureserver.info> Paul Zirnik schrieb: > This is why i sayed you need two different switches. With only one the switch > will allways send only to one port, because he knows the MAC address > and will not balance traffic on two or more ports with the same MAC address > as destination. Etherchannel has no balancing algo it is desinged for one to > many connections not for 1 to 1. With two switches this is not true and the > traffic will utilize both lines even for a 1 on 1 connection. Ah, you mean no Port Channels at all. This would then more be like a direct crossed link? Ralf From jonathan.gazeley at bristol.ac.uk Tue Jul 31 11:37:13 2007 From: jonathan.gazeley at bristol.ac.uk (Jonathan Gazeley) Date: Tue Jul 31 11:37:21 2007 Subject: [LARTC] Re: tc n00b In-Reply-To: <46AEEBCF.70700@oldum.net> References: <46ADCE10.6080906@bristol.ac.uk> <20070730121432.GB30519@toroid.org> <46ADE4A6.1020808@bristol.ac.uk> <20070730132641.GA4732@toroid.org> <46ADE943.5090504@bristol.ac.uk> <20070730134354.GA4889@toroid.org> <46ADEE68.70501@bristol.ac.uk> <20070730141028.GF20842@nyx> <46AEEBCF.70700@oldum.net> Message-ID: <46AF02C9.8030309@bristol.ac.uk> Hi Nikolay, Thanks for your help - this looks useful. Is it possible to apply a police filter invidiually to each IP behind the NAT? Thanks, Jonathan Nikolay Kichukov wrote: > Hello, > You need to recompile your kernel and include the appropriate modules > for htb to work. > > The other idea I have is to use policer to filter how much traffic PCs > in the LAN upload. This is done on the LAN interface. Eliminates the > need to mark packets, etc. > > You just drop all the packets that are coming in too fast. And > presumably your LAN can do at least 100mbps, so the delay of packet > retransmission can be neglected. > > HTH, > -Nikolay > > Martin Milata wrote: > >> On Mon, Jul 30, 2007 at 02:58:00PM +0100, Jonathan Gazeley wrote: >> [...] >> >>> 137.222.235.125 >>> RTNETLINK answers: No such file or directory >>> RTNETLINK answers: Invalid argument >>> We have an error talking to the kernel >>> RTNETLINK answers: No such file or directory >>> RTNETLINK answers: Invalid argument >>> We have an error talking to the kernel >>> >> [...] >> >> Hint: If you run your script as "bash -x script_name" (or use #!/bin/sh -x >> as shabang), you will be able to see which exact command caused the error >> message. >> >> Regards, >> -MM >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- ------------------------ Jonathan Gazeley Wireless & VPN Team Information Systems & Computing University of Bristol ------------------------ From hijacker at oldum.net Tue Jul 31 12:00:03 2007 From: hijacker at oldum.net (Nikolay Kichukov) Date: Tue Jul 31 12:00:23 2007 Subject: [LARTC] Re: tc n00b In-Reply-To: <46AF02C9.8030309@bristol.ac.uk> References: <46ADCE10.6080906@bristol.ac.uk> <20070730121432.GB30519@toroid.org> <46ADE4A6.1020808@bristol.ac.uk> <20070730132641.GA4732@toroid.org> <46ADE943.5090504@bristol.ac.uk> <20070730134354.GA4889@toroid.org> <46ADEE68.70501@bristol.ac.uk> <20070730141028.GF20842@nyx> <46AEEBCF.70700@oldum.net> <46AF02C9.8030309@bristol.ac.uk> Message-ID: <46AF0823.3050404@oldum.net> Hello Jonathan, Indeed. I have tested with limited number of IPs though. Not sure how that scheme will behave if you apply it to a huge network. Cheers, -Nikolay Jonathan Gazeley wrote: > Hi Nikolay, > > Thanks for your help - this looks useful. Is it possible to apply a > police filter invidiually to each IP behind the NAT? > > Thanks, > Jonathan > > Nikolay Kichukov wrote: >> Hello, >> You need to recompile your kernel and include the appropriate modules >> for htb to work. >> >> The other idea I have is to use policer to filter how much traffic PCs >> in the LAN upload. This is done on the LAN interface. Eliminates the >> need to mark packets, etc. >> >> You just drop all the packets that are coming in too fast. And >> presumably your LAN can do at least 100mbps, so the delay of packet >> retransmission can be neglected. >> >> HTH, >> -Nikolay >> >> Martin Milata wrote: >> >>> On Mon, Jul 30, 2007 at 02:58:00PM +0100, Jonathan Gazeley wrote: >>> [...] >>> >>>> 137.222.235.125 >>>> RTNETLINK answers: No such file or directory >>>> RTNETLINK answers: Invalid argument >>>> We have an error talking to the kernel >>>> RTNETLINK answers: No such file or directory >>>> RTNETLINK answers: Invalid argument >>>> We have an error talking to the kernel >>>> >>> [...] >>> >>> Hint: If you run your script as "bash -x script_name" (or use >>> #!/bin/sh -x >>> as shabang), you will be able to see which exact command caused the >>> error >>> message. >>> >>> Regards, >>> -MM >>> _______________________________________________ >>> LARTC mailing list >>> LARTC@mailman.ds9a.nl >>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>> >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> > From jonathan.gazeley at bristol.ac.uk Tue Jul 31 12:08:46 2007 From: jonathan.gazeley at bristol.ac.uk (Jonathan Gazeley) Date: Tue Jul 31 12:08:51 2007 Subject: [LARTC] Re: tc n00b In-Reply-To: <46AF0823.3050404@oldum.net> References: <46ADCE10.6080906@bristol.ac.uk> <20070730121432.GB30519@toroid.org> <46ADE4A6.1020808@bristol.ac.uk> <20070730132641.GA4732@toroid.org> <46ADE943.5090504@bristol.ac.uk> <20070730134354.GA4889@toroid.org> <46ADEE68.70501@bristol.ac.uk> <20070730141028.GF20842@nyx> <46AEEBCF.70700@oldum.net> <46AF02C9.8030309@bristol.ac.uk> <46AF0823.3050404@oldum.net> Message-ID: <46AF0A2E.3060207@bristol.ac.uk> Hi Nikolay, How might this be implemented? I have used a shell script that loops around with a new IP address each time, and then my police line looks like this: tc filter add dev $LAN parent 1: protocol ip prio 50 u32 match ip src 137.222.$j.$i police rate ${UPLINK}kbit burst 10k drop flowid :1 However my clients still have unlimited uplink. The other day, someone told me that then the tc box is also NATing, the source IP is rewritten before the police filter is applied - meaning that you cannot match on source IP. How did you overcome this problem? Thanks for your help, Jonathan Nikolay Kichukov wrote: > Hello Jonathan, > Indeed. I have tested with limited number of IPs though. Not sure how > that scheme will behave if you apply it to a huge network. > > Cheers, > -Nikolay > > Jonathan Gazeley wrote: > >> Hi Nikolay, >> >> Thanks for your help - this looks useful. Is it possible to apply a >> police filter invidiually to each IP behind the NAT? >> >> Thanks, >> Jonathan >> >> Nikolay Kichukov wrote: >> >>> Hello, >>> You need to recompile your kernel and include the appropriate modules >>> for htb to work. >>> >>> The other idea I have is to use policer to filter how much traffic PCs >>> in the LAN upload. This is done on the LAN interface. Eliminates the >>> need to mark packets, etc. >>> >>> You just drop all the packets that are coming in too fast. And >>> presumably your LAN can do at least 100mbps, so the delay of packet >>> retransmission can be neglected. >>> >>> HTH, >>> -Nikolay >>> >>> Martin Milata wrote: >>> >>> >>>> On Mon, Jul 30, 2007 at 02:58:00PM +0100, Jonathan Gazeley wrote: >>>> [...] >>>> >>>> >>>>> 137.222.235.125 >>>>> RTNETLINK answers: No such file or directory >>>>> RTNETLINK answers: Invalid argument >>>>> We have an error talking to the kernel >>>>> RTNETLINK answers: No such file or directory >>>>> RTNETLINK answers: Invalid argument >>>>> We have an error talking to the kernel >>>>> >>>>> >>>> [...] >>>> >>>> Hint: If you run your script as "bash -x script_name" (or use >>>> #!/bin/sh -x >>>> as shabang), you will be able to see which exact command caused the >>>> error >>>> message. >>>> >>>> Regards, >>>> -MM >>>> _______________________________________________ >>>> LARTC mailing list >>>> LARTC@mailman.ds9a.nl >>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>>> >>>> >>> _______________________________________________ >>> LARTC mailing list >>> LARTC@mailman.ds9a.nl >>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>> >>> -- ------------------------ Jonathan Gazeley Wireless & VPN Team Information Systems & Computing University of Bristol ------------------------ From Ralf-Lists at ralfgross.de Tue Jul 31 13:01:33 2007 From: Ralf-Lists at ralfgross.de (Ralf Gross) Date: Tue Jul 31 13:01:57 2007 Subject: [LARTC] bandwidth aggregation between 2 hosts in the same subnet In-Reply-To: <200707310952.33633.tami@disconnected.de> References: <20070730141010.GA27667@p15145560.pureserver.info> <200707302046.06292.tami@disconnected.de> <20070730204801.GD27667@p15145560.pureserver.info> <200707310952.33633.tami@disconnected.de> Message-ID: <20070731110133.GF6008@p15145560.pureserver.info> Paul Zirnik schrieb: > > > On Monday 30 July 2007 16:10, Ralf Gross wrote: > > > > My goal is to increase the bandwidth for a single tcp session between > > > > the two hosts for a backup job (per packet round robin?), not for > > > > multiple connections between many hosts. I know that I won't get 2 x > > > > 115Mb/s because of packet reordering, but 20-30% more that a single > > > > connection would be ok. > > > > > > > > I followed different HowTOs > > > > > > > > http://www.lartc.org/howto/lartc.rpdb.multiple-links.html#AEN298 > > > > http://lartc.org/howto/lartc.loadshare.html > > > > or something like: ip route...equalize via... > > > > > > > > but I never got a higher transfer rate between the two hosts than > > > > max 115Mb/s with benchmarks like netpipe or netio. > > > > > > If you have different switches for each line i suggest the use > > > of "bonding" in balance-round-robin mode. > > > > > > +-------+ eth0 +--------+ eth0 +------+ > > > > > > | Host |--------|switch 1|--------| Host | > > > | > > > | | +--------+ | | > > > | > > > | A | eth1 +--------+ eth1 | B | > > > | > > > | |--------|switch 2|--------| | > > > > > > +-------+ +--------+ +------+ > > > > I tried this setup a while ago. Both hosts were connected to a Cisco > > switch. On the linux hosts I created bond0 interfaces (round robin) > > and the switch ports on both switches were configured as Port > > Channels. [...] > > This didn't increase the transfer rate for a tcp session between the > > two hosts. Because the mac and ip addresses are the same for the whole > > tcp session (backup). > > This is why i sayed you need two different switches. With only one > the switch will allways send only to one port, because he knows the > MAC address and will not balance traffic on two or more ports with > the same MAC address as destination. Etherchannel has no balancing > algo it is desinged for one to many connections not for 1 to 1. With > two switches this is not true and the traffic will utilize both > lines even for a 1 on 1 connection. I'm still a bit confused. If I use balance-rr without Etherchannels the bond0 MAC address will show up on 2 different switches. AFAIK and what the networking staff told me, that will result in problems. In your graph both hosts are connected by two switches and both hosts are directly connected to each of the switches. In my case there are more switches innvolved because the hosts are not in the same building. That's the setup at the moment. building A building b +--------+ +----------+ +----------+ +--------+ | |eth2 p1|cisco 6509| 3 x GbE |cisco 6509|p1 eth2| | | Host A +--------+ switch/ +---------->| switch/ +-------+ Host B | | data +--------+ router |maybe more | router +-------+ backup | | |eth3 p2| |switches | |p2 eth3| | +--------+ +----------+between the+----------+ +--------+ buildings I think you refer to this part of the bonding documentation: http://belnet.dl.sourceforge.net/sourceforge/bonding/bonding.txt |12.2 Maximum Throughput in a Multiple Switch Topology |----------------------------------------------------- | | Multiple switches may be utilized to optimize for throughput |when they are configured in parallel as part of an isolated network |between two or more systems, for example: | | +-----------+ | | Host A | | +-+---+---+-+ | | | | | +--------+ | +---------+ | | | | | +------+---+ +-----+----+ +-----+----+ | | Switch A | | Switch B | | Switch C | | +------+---+ +-----+----+ +-----+----+ | | | | | +--------+ | +---------+ | | | | | +-+---+---+-+ | | Host B | | +-----------+ | |[...] |When employed in this fashion, the balance-rr mode allows individual |connections between two hosts to effectively utilize greater than one |interface's bandwidth. But I don't have an isolated network. Maybe I'm still too blind to see a simple solution. Thanks, Ralf From hijacker at oldum.net Tue Jul 31 13:24:55 2007 From: hijacker at oldum.net (Nikolay Kichukov) Date: Tue Jul 31 13:25:07 2007 Subject: [LARTC] Re: tc n00b In-Reply-To: <46AF0A2E.3060207@bristol.ac.uk> References: <46ADCE10.6080906@bristol.ac.uk> <20070730121432.GB30519@toroid.org> <46ADE4A6.1020808@bristol.ac.uk> <20070730132641.GA4732@toroid.org> <46ADE943.5090504@bristol.ac.uk> <20070730134354.GA4889@toroid.org> <46ADEE68.70501@bristol.ac.uk> <20070730141028.GF20842@nyx> <46AEEBCF.70700@oldum.net> <46AF02C9.8030309@bristol.ac.uk> <46AF0823.3050404@oldum.net> <46AF0A2E.3060207@bristol.ac.uk> Message-ID: <46AF1C07.9030206@oldum.net> Hello, The policer is not 1: but ffff:, not engress(root) but ingress. Let me give you an example: tc qdisc add dev eth0 ingress handle ffff: TC_FILTER="tc filter add dev eth0 parent ffff: protocol ip" $TC_FILTER prio 2 u32 match ip src 192.168.0.6/32 police rate 32kbit burst 16kb drop flowid ffff: $TC_FILTER prio 2 u32 match ip src 192.168.0.4/32 police rate 128kbit burst 32kb drop flowid ffff: $TC_FILTER prio 2 u32 match ip src 192.168.0.2/32 police rate 128kbit burst 32kb drop flowid ffff: $TC_FILTER prio 2 u32 match ip src 192.168.0.5/32 police rate 128kbit burst 32kb drop flowid ffff: eth0 is the LAN interface which the 192.168.0.0/24 IPs are connected to. The rest is self explanatory. Let me know if I can help you with anything else. Cheers, -Nik Jonathan Gazeley wrote: > Hi Nikolay, > > How might this be implemented? I have used a shell script that loops > around with a new IP address each time, and then my police line looks > like this: > > tc filter add dev $LAN parent 1: protocol ip prio 50 u32 match ip src > 137.222.$j.$i police rate ${UPLINK}kbit burst 10k drop flowid :1 > > However my clients still have unlimited uplink. The other day, someone > told me that then the tc box is also NATing, the source IP is rewritten > before the police filter is applied - meaning that you cannot match on > source IP. How did you overcome this problem? > > Thanks for your help, > Jonathan > > > Nikolay Kichukov wrote: >> Hello Jonathan, >> Indeed. I have tested with limited number of IPs though. Not sure how >> that scheme will behave if you apply it to a huge network. >> >> Cheers, >> -Nikolay >> >> Jonathan Gazeley wrote: >> >>> Hi Nikolay, >>> >>> Thanks for your help - this looks useful. Is it possible to apply a >>> police filter invidiually to each IP behind the NAT? >>> >>> Thanks, >>> Jonathan >>> >>> Nikolay Kichukov wrote: >>> >>>> Hello, >>>> You need to recompile your kernel and include the appropriate modules >>>> for htb to work. >>>> >>>> The other idea I have is to use policer to filter how much traffic PCs >>>> in the LAN upload. This is done on the LAN interface. Eliminates the >>>> need to mark packets, etc. >>>> >>>> You just drop all the packets that are coming in too fast. And >>>> presumably your LAN can do at least 100mbps, so the delay of packet >>>> retransmission can be neglected. >>>> >>>> HTH, >>>> -Nikolay >>>> >>>> Martin Milata wrote: >>>> >>>> >>>>> On Mon, Jul 30, 2007 at 02:58:00PM +0100, Jonathan Gazeley wrote: >>>>> [...] >>>>> >>>>>> 137.222.235.125 >>>>>> RTNETLINK answers: No such file or directory >>>>>> RTNETLINK answers: Invalid argument >>>>>> We have an error talking to the kernel >>>>>> RTNETLINK answers: No such file or directory >>>>>> RTNETLINK answers: Invalid argument >>>>>> We have an error talking to the kernel >>>>>> >>>>> [...] >>>>> >>>>> Hint: If you run your script as "bash -x script_name" (or use >>>>> #!/bin/sh -x >>>>> as shabang), you will be able to see which exact command caused the >>>>> error >>>>> message. >>>>> >>>>> Regards, >>>>> -MM >>>>> _______________________________________________ >>>>> LARTC mailing list >>>>> LARTC@mailman.ds9a.nl >>>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>>>> >>>> _______________________________________________ >>>> LARTC mailing list >>>> LARTC@mailman.ds9a.nl >>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>>> > From nic-lartc at studentergaarden.dk Tue Jul 31 14:30:52 2007 From: nic-lartc at studentergaarden.dk (nic-lartc@studentergaarden.dk) Date: Tue Jul 31 14:30:25 2007 Subject: [LARTC] Operation failed: such conntrack doesn't exist - when it does? Message-ID: <46AF2B7C.8060204@studentergaarden.dk> Hi gurus I want to destroy all state table entries/reset all connections for a particular client. When I issue conntrack -L -s , it lists loads of state entries. When I issue conntrack -D -s it answers "NFNETLINK answers: No such file or directory Operation failed: such conntrack doesn't exist." I have googled the problem, but can find only either unanswered or "there was actually really a bug in conntrack on that kernel verision, it is now fixed" posts from a while back. Is this an error or is my syntax wrong/I am doing something silly? Debugging info, including kernel version and strace (I am root): dragon:/home/nicolas# conntrack -L -s 172.16.98.255 tcp 6 431690 ESTABLISHED src=172.16.98.255 dst=209.85.135.xxx sport=4956 dport=80 packets=4 bytes=1033 src=209.85.135.xxx dst=130.226.169.xxx sport=80 dport=4956 packets=3 bytes=1091 [ASSURED] mark=0 use=1 tcp 6 431983 ESTABLISHED src=172.16.98.255 dst=207.46.110.xxx sport=1050 dport=1863 packets=327 bytes=16935 src=207.46.110.xxx dst=130.226.169.xxx sport=1863 dport=1050 packets=177 bytes=17375 [ASSURED] mark=0 use=1 tcp 6 315337 ESTABLISHED src=172.16.98.255 dst=80.252.91.xxx sport=4882 dport=80 packets=16 bytes=6768 src=80.252.91.xxx dst=130.226.169.xxx sport=80 dport=4882 packets=13 bytes=8626 [ASSURED] mark=0 use=2 ... more cut for clarity ... dragon:/home/nicolas# conntrack -D -s 172.16.98.255 NFNETLINK answers: No such file or directory Operation failed: such conntrack doesn't exist dragon:/home/nicolas# uname -a Linux dragon 2.6.18-4-686 #1 SMP Wed May 9 23:03:12 UTC 2007 i686 GNU/Linux (Debian Etch) strace dragon:/home/nicolas# strace conntrack -D -s 172.16.98.255 execve("/usr/sbin/conntrack", ["conntrack", "-D", "-s", "172.16.98.255"], [/* 19 vars */]) = 0 uname({sys="Linux", node="dragon", ...}) = 0 brk(0) = 0x804e000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fde000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fdd000 open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=17386, ...}) = 0 mmap2(NULL, 17386, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fd8000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/libnetfilter_conntrack.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000\24\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0644, st_size=19232, ...}) = 0 mmap2(NULL, 22420, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7fd2000 mmap2(0xb7fd7000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4) = 0xb7fd7000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/tls/i686/cmov/libdl.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20\f\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0644, st_size=9592, ...}) = 0 mmap2(NULL, 12404, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7fce000 mmap2(0xb7fd0000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7fd0000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240O\1"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0644, st_size=1241392, ...}) = 0 mmap2(NULL, 1247388, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7e9d000 mmap2(0xb7fc4000, 28672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x127) = 0xb7fc4000 mmap2(0xb7fcb000, 10396, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7fcb000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/libnfnetlink.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\v\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0644, st_size=10956, ...}) = 0 mmap2(NULL, 14252, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7e99000 mmap2(0xb7e9c000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2) = 0xb7e9c000 close(3) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7e98000 mprotect(0xb7fc4000, 20480, PROT_READ) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e98ae0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0xb7fd8000, 17386) = 0 brk(0) = 0x804e000 brk(0x806f000) = 0x806f000 socket(PF_NETLINK, SOCK_RAW, 12) = 3 getsockname(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 0 time(NULL) = 1185884349 bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0 getsockname(3, {sa_family=AF_NETLINK, pid=1925, groups=00000000}, [12]) = 0 bind(3, {sa_family=AF_NETLINK, pid=1925, groups=00000000}, 12) = 0 open("/usr/lib/libnetfilter_conntrack//nfct_l3proto_ipv4-0.0.31.so", O_RDONLY) = 4 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000\5\0"..., 512) = 512 fstat64(4, {st_mode=S_IFREG|0644, st_size=3708, ...}) = 0 mmap2(NULL, 6632, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0xb7fdb000 mmap2(0xb7fdc000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0) = 0xb7fdc000 close(4) = 0 sendmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"8\0\0\0\2\1\5\3\277(\257F\0\0\0\0\2\0\0\0$\0\1\200\24\0"..., 56}], msg_controllen=0, msg_flags=0}, 0) = 56 recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"$\0\0\0\2\0\0\0\277(\257F\205\7\0\0\376\377\377\3778\0"..., 8192}], msg_controllen=0, msg_flags=0}, 0) = 36 dup(2) = 4 fcntl64(4, F_GETFL) = 0x8002 (flags O_RDWR|O_LARGEFILE) fstat64(4, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fda000 _llseek(4, 0, 0xbfa51594, SEEK_CUR) = -1 ESPIPE (Illegal seek) write(4, "NFNETLINK answers: No such file "..., 45NFNETLINK answers: No such file or directory ) = 45 close(4) = 0 munmap(0xb7fda000, 4096) = 0 close(3) = 0 write(2, "Operation failed: such conntrack"..., 47Operation failed: such conntrack doesn't exist ) = 47 exit_group(1) = ? Process 1925 detached From hijacker at oldum.net Tue Jul 31 16:33:10 2007 From: hijacker at oldum.net (Nikolay Kichukov) Date: Tue Jul 31 16:33:33 2007 Subject: [LARTC] Re: tc n00b In-Reply-To: <46AF412A.9000200@bristol.ac.uk> References: <46ADCE10.6080906@bristol.ac.uk> <20070730121432.GB30519@toroid.org> <46ADE4A6.1020808@bristol.ac.uk> <20070730132641.GA4732@toroid.org> <46ADE943.5090504@bristol.ac.uk> <20070730134354.GA4889@toroid.org> <46ADEE68.70501@bristol.ac.uk> <20070730141028.GF20842@nyx> <46AEEBCF.70700@oldum.net> <46AF02C9.8030309@bristol.ac.uk> <46AF0823.3050404@oldum.net> <46AF0A2E.3060207@bristol.ac.uk> <46AF1C07.9030206@oldum.net> <46AF412A.9000200@bristol.ac.uk> Message-ID: <46AF4826.40400@oldum.net> Hello Jonathan, The scenario works perfectly well on a NAT router. See, you drop excess of bits on the interface where the packets arrive. Which is before nating. Maybe we speak about different scenarios here? What I describe limits the maximum upload speed for ip in the LAN. Let me know the packet flow with the interfaces and IP addresses. Cheers, -Nikolay p.s. I am also CCing the lartc mailing list in case someone else can help. Jonathan Gazeley wrote: > Hi Nikolay, > > Thanks for this. I tried using the code below, but it did not work for > me. Is your server running tc also a NAT box? The reason I think my code > isn't working is because NAT and tc are on the same server, meaning that > the source IP of an outgoing packet is rewritten _before_ it gets to tc > -- meaning that it is not possible to match packets by source IP. > > Cheers, > Jonathan > > Nikolay Kichukov wrote: >> Hello, >> The policer is not 1: but ffff:, not engress(root) but ingress. >> >> Let me give you an example: >> >> tc qdisc add dev eth0 ingress handle ffff: >> TC_FILTER="tc filter add dev eth0 parent ffff: protocol ip" >> $TC_FILTER prio 2 u32 match ip src 192.168.0.6/32 police rate 32kbit >> burst 16kb drop flowid ffff: >> $TC_FILTER prio 2 u32 match ip src 192.168.0.4/32 police rate 128kbit >> burst 32kb drop flowid ffff: >> $TC_FILTER prio 2 u32 match ip src 192.168.0.2/32 police rate 128kbit >> burst 32kb drop flowid ffff: >> $TC_FILTER prio 2 u32 match ip src 192.168.0.5/32 police rate 128kbit >> burst 32kb drop flowid ffff: >> >> >> eth0 is the LAN interface which the 192.168.0.0/24 IPs are connected to. >> >> The rest is self explanatory. >> >> Let me know if I can help you with anything else. >> >> Cheers, >> -Nik >> >> >> >> Jonathan Gazeley wrote: >> >>> Hi Nikolay, >>> >>> How might this be implemented? I have used a shell script that loops >>> around with a new IP address each time, and then my police line looks >>> like this: >>> >>> tc filter add dev $LAN parent 1: protocol ip prio 50 u32 match ip src >>> 137.222.$j.$i police rate ${UPLINK}kbit burst 10k drop flowid :1 >>> >>> However my clients still have unlimited uplink. The other day, someone >>> told me that then the tc box is also NATing, the source IP is rewritten >>> before the police filter is applied - meaning that you cannot match on >>> source IP. How did you overcome this problem? >>> >>> Thanks for your help, >>> Jonathan >>> >>> >>> Nikolay Kichukov wrote: >>> >>>> Hello Jonathan, >>>> Indeed. I have tested with limited number of IPs though. Not sure how >>>> that scheme will behave if you apply it to a huge network. >>>> >>>> Cheers, >>>> -Nikolay >>>> >>>> Jonathan Gazeley wrote: >>>> >>>> >>>>> Hi Nikolay, >>>>> >>>>> Thanks for your help - this looks useful. Is it possible to apply a >>>>> police filter invidiually to each IP behind the NAT? >>>>> >>>>> Thanks, >>>>> Jonathan >>>>> >>>>> Nikolay Kichukov wrote: >>>>> >>>>>> Hello, >>>>>> You need to recompile your kernel and include the appropriate modules >>>>>> for htb to work. >>>>>> >>>>>> The other idea I have is to use policer to filter how much traffic >>>>>> PCs >>>>>> in the LAN upload. This is done on the LAN interface. Eliminates the >>>>>> need to mark packets, etc. >>>>>> >>>>>> You just drop all the packets that are coming in too fast. And >>>>>> presumably your LAN can do at least 100mbps, so the delay of packet >>>>>> retransmission can be neglected. >>>>>> >>>>>> HTH, >>>>>> -Nikolay >>>>>> >>>>>> Martin Milata wrote: >>>>>> >>>>>> >>>>>>> On Mon, Jul 30, 2007 at 02:58:00PM +0100, Jonathan Gazeley wrote: >>>>>>> [...] >>>>>>> >>>>>>>> 137.222.235.125 >>>>>>>> RTNETLINK answers: No such file or directory >>>>>>>> RTNETLINK answers: Invalid argument >>>>>>>> We have an error talking to the kernel >>>>>>>> RTNETLINK answers: No such file or directory >>>>>>>> RTNETLINK answers: Invalid argument >>>>>>>> We have an error talking to the kernel >>>>>>>> >>>>>>> [...] >>>>>>> >>>>>>> Hint: If you run your script as "bash -x script_name" (or use >>>>>>> #!/bin/sh -x >>>>>>> as shabang), you will be able to see which exact command caused the >>>>>>> error >>>>>>> message. >>>>>>> >>>>>>> Regards, >>>>>>> -MM >>>>>>> _______________________________________________ >>>>>>> LARTC mailing list >>>>>>> LARTC@mailman.ds9a.nl >>>>>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>>>>>> >>>>>> _______________________________________________ >>>>>> LARTC mailing list >>>>>> LARTC@mailman.ds9a.nl >>>>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>>>>> > From gtaylor at riverviewtech.net Tue Jul 31 17:25:57 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Tue Jul 31 17:23:33 2007 Subject: [LARTC] bandwidth aggregation between 2 hosts in the same subnet In-Reply-To: <20070731110133.GF6008@p15145560.pureserver.info> References: <20070730141010.GA27667@p15145560.pureserver.info> <200707302046.06292.tami@disconnected.de> <20070730204801.GD27667@p15145560.pureserver.info> <200707310952.33633.tami@disconnected.de> <20070731110133.GF6008@p15145560.pureserver.info> Message-ID: <46AF5485.1030205@riverviewtech.net> On 07/31/07 06:01, Ralf Gross wrote: > But I don't have an isolated network. Maybe I'm still too blind to > see a simple solution. This is why Paul's solution, though accurate, will not work in your scenario. The fact that you are trying to go across an aggregated link in the middle between the two buildings where you have no control is going to hinder you severely. The only other nasty thing that comes to mind is to assign additional MAC / IP sets to each system on their second interfaces. Establish IP-IP (?) tunnels between the two systems via each pair of MAC / IP sets. I.e. Machine A Primary MAC / IP set to machine B Primary MAC / IP set and Machine A Secondary MAC / IP set to machine B Secondary MAC / IP set. Thus yielding two tunnels between the two machines. Then if you were trying to get to an IP address that could be routed by the IP address at the end of either tunnel, you could then use something like Equal Cost Multi Path (a.k.a. ECMP) routing to send packets down both routes. Seeing as how the traffic you are sending will be encapsulated in IP-IP tunnel packets, each of which should be between its own MAC / IP sets, the switch(s) so the switches should not cause a problem by doing what they are doing. Grant. . . . From Ralf-Lists at ralfgross.de Tue Jul 31 17:31:02 2007 From: Ralf-Lists at ralfgross.de (Ralf Gross) Date: Tue Jul 31 17:31:26 2007 Subject: [LARTC] bandwidth aggregation between 2 hosts in the same subnet In-Reply-To: <46AE55D0.3050005@riverviewtech.net> References: <20070730141010.GA27667@p15145560.pureserver.info> <46AE3177.3030602@riverviewtech.net> <20070730201232.GB27667@p15145560.pureserver.info> <46AE55D0.3050005@riverviewtech.net> Message-ID: <20070731153102.GH6008@p15145560.pureserver.info> Grant Taylor schrieb: > >I think it's not possible with the Cisco switches we use here to > >increase the bandwidth between 2 hosts on L2. > > It sounds like a "per packet" or "per flow" decision that is defaulting > to "per flow" for deciding which port on an EtherChannel to use. > > I'm not that much of a Cisco person so I can't say for sure, but I'd > think there would be a setting that could be changed in the switch that > would alter this so that you could get an aggregate bandwidth increase. > > Doing a quick Google search > (http://www.google.com/search?hl=en&q=Cisco+CEF&btnG=Google+Search) > reminded me that we had to turn on Cisco Express Forwarding (a.k.a. CEF) > and set the CEF to be "per packet" rather than "per flow". You might > want to do some research on your switches to see if they support CEF or > not. If your switches do support it you may want to talk to your switch > support staff (if it is not your self) to see if they would consider > setting such up. I've talked to one of the people of the network staff. He meant they never used CEF in this type of scenario. I'm also not very familiar with Cicso products. > I am presently using CEF between a 3640 and an upstream 7204-ubr to load > balance ethernet connections (bridged to SDSL) and am getting an > aggregate bandwidth increase in "per packet" fashion. So, this will > work between routers and I believe switches that support it. > > Good luck. Let me know if there is any thing else that I can do to help. If you could give me more details on your CEF setup, that would maybe help me to show them what a CEF config should look like. But I'm still not sure if CEF is a thing that is designed to work with client-client connections. Ralf From gtaylor at riverviewtech.net Tue Jul 31 18:31:41 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Tue Jul 31 18:29:18 2007 Subject: [LARTC] bandwidth aggregation between 2 hosts in the same subnet In-Reply-To: <20070731153102.GH6008@p15145560.pureserver.info> References: <20070730141010.GA27667@p15145560.pureserver.info> <46AE3177.3030602@riverviewtech.net> <20070730201232.GB27667@p15145560.pureserver.info> <46AE55D0.3050005@riverviewtech.net> <20070731153102.GH6008@p15145560.pureserver.info> Message-ID: <46AF63ED.2080805@riverviewtech.net> On 07/31/07 10:31, Ralf Gross wrote: > I've talked to one of the people of the network staff. He meant they > never used CEF in this type of scenario. I'm also not very familiar > with Cicso products. My physical scenario is a Cisco 3640 router with two (10BaseT) ethernet connections connected to external ethernet to SDSL bridging modems. The SDSL modems bridge the ethernet to an ATM circuit. The ATM circuit is terminated in a Cisco 7206 (I think it's a 6) UBR router at my ISP. Cisco Express Forwarding is being run on the local 3640 and the remote 7206 to control which connection the packets are being routed down. The local 3640 has two routes upstream, each being the remote IP for each of the ATM links. Correspondingly the 7206 has two routes to a (globally) routable subnet behind the local 3640. As I understand it, CEF (ultimately) builds a forwarding information base (a.k.a. FIB) from the routing tables. So if you have multiple routes, CEF will know about them. CEF will then divide the traffic either "per flow" or "per packet" across all available routes so that more aggregate bandwidth is achieved. In my scenario, I am using CEF via OSPF to combine two 1.1 Mbps SDSL connections to get close to 2 Mbps worth of aggregate bandwidth to the net. I can and do routinely receive 1.5 - 1.8 Mbps throughput via FTP / HTTP / BitTorrent. (Though BitTorrent by nature is not the best example) > If you could give me more details on your CEF setup, that would maybe > help me to show them what a CEF config should look like. I think I have done so above. If you want config examples, contact me off list as I don't want to publish it to the world. > But I'm still not sure if CEF is a thing that is designed to work > with client-client connections. I can't say for sure one way or the other. but It think that CEF will achieve what you are wanting to do as long as the device you are connecting to will support it. I know that more and more layer 3 devices support it. So, that being said if your switches are recent layer 3 switches, I'd say that they will support CEF. I don't know for sure though. Grant. . . . From ams at toroid.org Tue Jul 31 20:40:43 2007 From: ams at toroid.org (Abhijit Menon-Sen) Date: Tue Jul 31 20:40:49 2007 Subject: [LARTC] Re: gateway failover with linux In-Reply-To: <20070721002954.GA14479@toroid.org> References: <20070719170251.GA24923@toroid.org> <469FD455.9050903@riverviewtech.net> <20070720012032.GA29284@toroid.org> <46A0D0C1.4090805@riverviewtech.net> <20070721002954.GA14479@toroid.org> Message-ID: <20070731184043.GA17348@toroid.org> At 2007-07-21 05:59:54 +0530, ams@toroid.org wrote: > > If I have the time, I'll try out ucarp and post a summary of my > experiences for the archives. Not much to report. I set up ucarp as directed in the README, and it just worked. It was simple and did what I wanted (which was to allow two machines to share a virtual IP with heartbeat/failover). -- ams From fubar at us.ibm.com Tue Jul 31 21:58:18 2007 From: fubar at us.ibm.com (Jay Vosburgh) Date: Tue Jul 31 21:58:29 2007 Subject: [LARTC] bandwidth aggregation between 2 hosts in the same subnet In-Reply-To: <46AF5485.1030205@riverviewtech.net> References: <20070730141010.GA27667@p15145560.pureserver.info> <200707302046.06292.tami@disconnected.de> <20070730204801.GD27667@p15145560.pureserver.info> <200707310952.33633.tami@disconnected.de> <20070731110133.GF6008@p15145560.pureserver.info> <46AF5485.1030205@riverviewtech.net> Message-ID: <7210.1185911898@death> Grant Taylor wrote: >On 07/31/07 06:01, Ralf Gross wrote: >> But I don't have an isolated network. Maybe I'm still too blind to see a >> simple solution. There really isn't a simple solution, since you're not doing something simple. It sounds simple to say you want to aggregate bandwidth from multiple interfaces for use by one TCP connection, but it's actually a pretty complicated problem to solve. The diagram and description in the bonding documentation describing the isolated network is really meant for use in clusters, and is more historical than anything else these days. In the days of yore, it was fairly cost effective to connect several switches to several systems such that each system had one port into each switch (as opposed to buying a single, much larger, switch). With no packet coalescing or the like, balance-rr would tend to deliver packets in order to the end systems (one packet per interrupt), and a given connection could get pretty close to full striped throughput. This type of arrangement breaks down with modern network hardware, since there is no longer a one-to-one relationship between interrupts and packet arrival. >The fact that you are trying to go across an aggregated link in the middle >between the two buildings where you have no control is going to hinder you >severely. Yes. You're also running up against the fact that, traditionally, Etherchannel (and equivalents) is generally meant to aggregate trunks, optimizing for overall maximum throughput across multiple connections. It's not really optimized to permit a single connection to effectively utilize the combined bandwidth of multiple links. >The only other nasty thing that comes to mind is to assign additional MAC >/ IP sets to each system on their second interfaces. Another similar Rube Goldberg sort of scheme I've set up in the past (in the lab, for bonding testing, not in a production environment, your mileage may vary, etc, etc) is to dedicate particular switch ports to particular vlans. So, e.g., linux box eth0 ---- port 1:vlan 99 SWITCH(ES) port2:vlan 99 ---- eth0 linux box bond0 eth1 ---- port 3:vlan 88 SWITCH(ES) port4:vlan 88 ---- eth1 bond0 This sort of arrangement requires setting the Cisco switch ports to be native to a particular vlan, e.g., "switchport mode access", "switchport access vlan 88". Theoretically, the intervening switches will simply pass the vlan traffic through and not decapsulate it until it reaches its end destination port. You might also have to fool with the inter-switch links to make sure they're trunking properly (to pass the vlan traffic). The downside of this sort of scheme is that the bond0 instances can only communicate with each other, unless you have the ability for one of the intermediate switches to route between the vlan and the regular network, or you have some other host also attached to the vlans to act as a gateway to the rest of the network. My switches won't route, since they're switch-only models (2960/2970/3550), with no layer 3 capability, and I've never tried setting up a separate gateway host in such a configuration. This also won't work if the intervening switches either (a) don't have higher capacity inter-switch links or (b) don't spread the traffic across the ISLs any better than they do on a regular etherchannel. Basically, you want to take the switches out of the equation (so the load balance algorithm used by etherchannel doesn't disturb the even balance of the round robin transmission). There might be other ways to essentially tunnel from port 1 to 2 and 3 to 4 (in my diagram above), but that's really what you're looking to do. Lastly, as long as I'm here, I can give my usual commentary about TCP packet reordering. The bonding balance-rr mode will generally deliver packets out of order (to an aggregated destination; if you feed a balance-rr of N links at speed X into a single link with enough capacity to handle N * X bandwidth, you don't see this problem). This is ignoring any port assignment a switch might do. TCP's action upon receiving packets out of order is typically to issue an ACK indicating a lost segment (fast retransmit; by default, after 3 segments arrive out of order). On linux, this threshold can be adjusted via the net.ipv4.tcp_reordering sysctl. Crank it up to 127 or so and the reordering effect is minimized, although there are other congestion control effects. The bottom line is that you won't ever see N * X bandwidth on a single TCP connection, and the improvement factor falls off as the number of links in the aggregate increases. With four links, you're doing pretty good to get about 2.3 links worth of throughput. If memory serves, with two links you top out around 1.5. So, the real question is: Since you've got two links, how important is that 0.5 improvement in transfer speed? Can you instead figure out a way to split your backup problem into pieces, and run them concurrently? That can be a much easier problem to tackle, given that it's trivial to add extra IP addresses to the hosts on each end, and presumably your higher end Cisco gear will permit a load-balance algorithm other than straight MAC address XOR. E.g., the 2960 I've got handy permits: slime(config)#port-channel load-balance ? dst-ip Dst IP Addr dst-mac Dst Mac Addr src-dst-ip Src XOR Dst IP Addr src-dst-mac Src XOR Dst Mac Addr src-ip Src IP Addr src-mac Src Mac Addr so it's possible to get the IP address into the port selection math, and adding IP addresses is pretty straightforward. -J --- -Jay Vosburgh, IBM Linux Technology Center, fubar@us.ibm.com From Jon.J.Flechsenhaar at boeing.com Tue Jul 31 22:11:53 2007 From: Jon.J.Flechsenhaar at boeing.com (Flechsenhaar, Jon J) Date: Tue Jul 31 22:12:42 2007 Subject: [LARTC] IntServ QoS question Message-ID: <0E24ED2A7F9AA349A8633E6A56A64BE0027A83F7@XCH-SW-2V1.sw.nos.boeing.com> I'm using KOM_RSVP I'm trying to figure out what trigures and RSVP session. When I send traffic with a certain utility the RSVP PATH, RESV, and CONF message is sent. How does the Deameon know to setup a connection though? There is something internal at the client source happening. I just haven't figured it out yet. Is it listening to a certain port? Any help would be appreciated. Thanks in advance. Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7 From Ralf-Lists at ralfgross.de Tue Jul 31 23:00:20 2007 From: Ralf-Lists at ralfgross.de (Ralf Gross) Date: Tue Jul 31 23:00:46 2007 Subject: [LARTC] bandwidth aggregation between 2 hosts in the same subnet In-Reply-To: <7210.1185911898@death> References: <20070730141010.GA27667@p15145560.pureserver.info> <200707302046.06292.tami@disconnected.de> <20070730204801.GD27667@p15145560.pureserver.info> <200707310952.33633.tami@disconnected.de> <20070731110133.GF6008@p15145560.pureserver.info> <46AF5485.1030205@riverviewtech.net> <7210.1185911898@death> Message-ID: <20070731210020.GA24836@p15145560.pureserver.info> Jay Vosburgh schrieb: > Grant Taylor wrote: > > >On 07/31/07 06:01, Ralf Gross wrote: > >> But I don't have an isolated network. Maybe I'm still too blind to see a > >> simple solution. First, thanks for your very detailed reply. [...] > >The only other nasty thing that comes to mind is to assign additional MAC > >/ IP sets to each system on their second interfaces. > > Another similar Rube Goldberg sort of scheme I've set up in the > past (in the lab, for bonding testing, not in a production environment, > your mileage may vary, etc, etc) is to dedicate particular switch ports > to particular vlans. So, e.g., > > linux box eth0 ---- port 1:vlan 99 SWITCH(ES) port2:vlan 99 ---- eth0 linux box > bond0 eth1 ---- port 3:vlan 88 SWITCH(ES) port4:vlan 88 ---- eth1 bond0 This is someting that I was thinking about too. It would be like a direct crossover connection which I tested with bonding and that worked very well in round robin mode. > This sort of arrangement requires setting the Cisco switch ports > to be native to a particular vlan, e.g., "switchport mode access", > "switchport access vlan 88". Theoretically, the intervening switches > will simply pass the vlan traffic through and not decapsulate it until > it reaches its end destination port. You might also have to fool with > the inter-switch links to make sure they're trunking properly (to pass > the vlan traffic). > > The downside of this sort of scheme is that the bond0 instances > can only communicate with each other, unless you have the ability for > one of the intermediate switches to route between the vlan and the > regular network, or you have some other host also attached to the vlans > to act as a gateway to the rest of the network. My switches won't > route, since they're switch-only models (2960/2970/3550), with no layer > 3 capability, and I've never tried setting up a separate gateway host in > such a configuration. That wouldn't be a big problem, I still can take one interface of the backup server out of the client vlan and add it to the regular backup vlan (/24). Both hosts are equipped with 4 x GbE interfaces (2 x client vlan + 2 backup vlan). > This also won't work if the intervening switches either (a) > don't have higher capacity inter-switch links or (b) don't spread the > traffic across the ISLs any better than they do on a regular > etherchannel. > > Basically, you want to take the switches out of the equation (so > the load balance algorithm used by etherchannel doesn't disturb the even > balance of the round robin transmission). There might be other ways to > essentially tunnel from port 1 to 2 and 3 to 4 (in my diagram above), > but that's really what you're looking to do. Ok. > [TCP packet reordering] > The bottom line is that you won't ever see N * X bandwidth on a > single TCP connection, and the improvement factor falls off as the > number of links in the aggregate increases. With four links, you're > doing pretty good to get about 2.3 links worth of throughput. If memory > serves, with two links you top out around 1.5. This is a factor I hope to achieve. > So, the real question is: Since you've got two links, how > important is that 0.5 improvement in transfer speed? Can you instead > figure out a way to split your backup problem into pieces, and run them > concurrently? I use bacula for backup, I can add an alias with a different ip/port for the host with the data. But I think this will get unhandy over the time. OT: This should not only be a classical backup, it's a bit like a HSM solution. We have large amounts of video data that will be moved from the online storage to tapes. If the data is needed again (only little will be), it's possible that 5-10 TB of data needs to be restored to the RAID again. So a 30-50% higher transfer rate could safe some hours. > That can be a much easier problem to tackle, given that it's > trivial to add extra IP addresses to the hosts on each end, and > presumably your higher end Cisco gear will permit a load-balance > algorithm other than straight MAC address XOR. E.g., the 2960 I've got > handy permits: > > slime(config)#port-channel load-balance ? > dst-ip Dst IP Addr > dst-mac Dst Mac Addr > src-dst-ip Src XOR Dst IP Addr > src-dst-mac Src XOR Dst Mac Addr > src-ip Src IP Addr > src-mac Src Mac Addr > > so it's possible to get the IP address into the port selection > math, and adding IP addresses is pretty straightforward. Yes, this is something I thought about first. But I fear that the backup jobs and database records will get confusing. backups should be as simple as possible, therefor I'd like to solve this at a lower level. But it's still an option. Ralf From stonie.cooper at planetarydata.com Wed Aug 1 04:14:41 2007 From: stonie.cooper at planetarydata.com (Stonie Cooper) Date: Wed Aug 1 04:14:48 2007 Subject: [LARTC] tc shown rate larger than ceil (was "Weird rate in HTB") Message-ID: <1CF9BE07-1FA5-486B-A7B6-792B41EA03CC@planetarydata.com> An earlier exchange about someone seeing the rate larger than the ceiling is posted below. Andy explained the reason for the "above ceiling" rate in Daniel's output . . . but I just saw an example that doesn't fit. >> tc output >> class htb 1:14 parent 1:1 leaf 14: prio 1 quantum 3072 rate 256000bit ceil 282000bit burst 1820b/8 mpu 0b overhead 0b cburst 1851b/8 mpu 0b overhead 0b level 0 Sent 2639448 bytes 1128 pkt (dropped 0, overlimits 0 requeues 0) rate 325360bit 17pps backlog 0b 25p requeues 0 lended: 981 borrowed: 122 giants: 1155 tokens: -48548 ctokens: -56127 << tc outpu << I see a 43360 difference, where the rate is more than the ceiling . . . of which only 952bits are accounted for in the following exchange. I have actually seen the rate be as much as 80408bits off . . . at only 19pps. Is there something else I am missing? Stone Daniel Harold L. wrote On Tuesday 03 July 2007 22:50: >> Dear all, >> >> First, sorry for my bad English .. >> >> To night one of my client is the victim of UDP attack from internet. It's tons >> of UDP packets from internet with destination to port 80. But when I look at >> class of that victim client, the actual class rate is over than configured >> rate class. >> >> Below is my screen capture. You can see at class 1:913 which have actual rate >> 105136bit while configured with ceil at 96000bit. Also it's parent class >> (1:91) which have actual rate 107680bit while configured with ceil at >> 96000bit. >> >> Is this normal? Or I have miss something in my script. Sometimes ago I found >> this situation but I forgot to capture the screen and the traffic is UDP too >> (maybe from torrent-like client) > >Yes it is normal! > >The rate tables that tc use normally have an 8 byte steps, so it is >possible for up to a 56bit/s error per packet and you have 300 pps. > >There was a small patch submitted for tc to make the error fall on the >underrate rather than overrate side, but I think it got lost in the >middle of the long ATM overhead patch thread on netdev. > >Andy. From lists at andyfurniss.entadsl.com Wed Aug 1 20:43:26 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Wed Aug 1 20:44:18 2007 Subject: [LARTC] tc shown rate larger than ceil (was "Weird rate in HTB") In-Reply-To: <1CF9BE07-1FA5-486B-A7B6-792B41EA03CC@planetarydata.com> References: <1CF9BE07-1FA5-486B-A7B6-792B41EA03CC@planetarydata.com> Message-ID: <46B0D44E.20903@andyfurniss.entadsl.com> Stonie Cooper wrote: > An earlier exchange about someone seeing the rate larger than the > ceiling is posted below. Andy explained the reason for the "above > ceiling" rate in Daniel's output . . . but I just saw an example that > doesn't fit. > > >> tc output >> > class htb 1:14 parent 1:1 leaf 14: prio 1 quantum 3072 rate 256000bit > ceil 282000bit burst 1820b/8 mpu 0b overhead 0b cburst 1851b/8 mpu 0b > overhead 0b level 0 > Sent 2639448 bytes 1128 pkt (dropped 0, overlimits 0 requeues 0) > rate 325360bit 17pps backlog 0b 25p requeues 0 > lended: 981 borrowed: 122 giants: 1155 It's because you have giants - possibly because your nic does tcp segmentation offload so locally generated traffic goes through htb as big chunks before it gets segmented down to the nic's mtu. You can check/turn that off with ethtool -k or you could use htb's mtu parameter for each rate (I'm not sure if you need to do ceils aswell) which makes the granularity of the rate table bigger so it can handle the larger mtu. Andy. From stonie.cooper at planetarydata.com Wed Aug 1 21:56:30 2007 From: stonie.cooper at planetarydata.com (Stonie Cooper) Date: Wed Aug 1 21:56:47 2007 Subject: [LARTC] tc shown rate larger than ceil (was "Weird rate in HTB") In-Reply-To: <46B0D44E.20903@andyfurniss.entadsl.com> References: <1CF9BE07-1FA5-486B-A7B6-792B41EA03CC@planetarydata.com> <46B0D44E.20903@andyfurniss.entadsl.com> Message-ID: <75892480-52C4-4655-B07F-77CFA19056FF@planetarydata.com> Andy - Thanks! I took the ethtool path, and turned off tcp segmentation on that nic; I was unsure how to set the HTB MTU - I use shorewall on a Gentoo system. It has definitely made a difference. The highest rate I see is 282312bits on a line with a ceil of 282000bits - and that is with 24pps, which, according to your previous email . . . would be right in line with what it should be. Giants have fallen off, but are not completely eliminated. Is this something I should be concerned with (having giants)? Would setting the HTB MTU be more elegant? I have avoided creating my own tc script, and have been using shorewall's internals . . . but if utilizing the HTB MTU setting is "better", I will dive in and try to write a script that does the same thing as shorewall. Stone On Aug 1, 2007, at 1:43 PM, Andy Furniss wrote: > Stonie Cooper wrote: >> An earlier exchange about someone seeing the rate larger than the >> ceiling is posted below. Andy explained the reason for the "above >> ceiling" rate in Daniel's output . . . but I just saw an example >> that doesn't fit. >> >> tc output >> >> class htb 1:14 parent 1:1 leaf 14: prio 1 quantum 3072 rate >> 256000bit ceil 282000bit burst 1820b/8 mpu 0b overhead 0b cburst >> 1851b/8 mpu 0b overhead 0b level 0 >> Sent 2639448 bytes 1128 pkt (dropped 0, overlimits 0 requeues 0) >> rate 325360bit 17pps backlog 0b 25p requeues 0 >> lended: 981 borrowed: 122 giants: 1155 > > It's because you have giants - possibly because your nic does tcp > segmentation offload so locally generated traffic goes through htb > as big chunks before it gets segmented down to the nic's mtu. > > You can check/turn that off with ethtool -k or you could use htb's > mtu parameter for each rate (I'm not sure if you need to do ceils > aswell) which makes the granularity of the rate table bigger so it > can handle the larger mtu. > > Andy. From lists at andyfurniss.entadsl.com Wed Aug 1 23:26:49 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Wed Aug 1 23:27:05 2007 Subject: [LARTC] tc shown rate larger than ceil (was "Weird rate in HTB") In-Reply-To: <75892480-52C4-4655-B07F-77CFA19056FF@planetarydata.com> References: <1CF9BE07-1FA5-486B-A7B6-792B41EA03CC@planetarydata.com> <46B0D44E.20903@andyfurniss.entadsl.com> <75892480-52C4-4655-B07F-77CFA19056FF@planetarydata.com> Message-ID: <46B0FA99.9010106@andyfurniss.entadsl.com> Stonie Cooper wrote: > Andy - Thanks! > > I took the ethtool path, and turned off tcp segmentation on that nic; I > was unsure how to set the HTB MTU - I use shorewall on a Gentoo system. I think you would need to find each line with a rate in the script and add mtu X - I don't know what X would be, though. > > It has definitely made a difference. The highest rate I see is > 282312bits on a line with a ceil of 282000bits - and that is with 24pps, > which, according to your previous email . . . would be right in line > with what it should be. If you are shaping for a wan then I would turn off tso rather than use mtu. It should be better for latency as a big chunk of data is going to take more time to be transmitted and hurt interactive traffic. I can't imagine it being very good to effectively drop multiple segments at once either - but then shorewall may not setup with queues short enough to get drops. > > Giants have fallen off, but are not completely eliminated. Is this > something I should be concerned with (having giants)? As long as there aren't many I wouldn't care - I don't know why you still see them, though. I haven't got any nics that do tso so can't test. Would setting the > HTB MTU be more elegant? I have avoided creating my own tc script, and > have been using shorewall's internals . . . but if utilizing the HTB MTU > setting is "better", I will dive in and try to write a script that does > the same thing as shorewall. You would also loose some accuracy in the rate lookup tables if you used mtu 16,32,64 etc. bytes depending on how big an mtu you needed to use. If you have a slow dsl link and really care about latency or not having to back off from it's rate, then there are other ways to tweak things. They involve patching and recompiling kernel/tc. Andy. From indunil75 at gmail.com Thu Aug 2 11:18:55 2007 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Thu Aug 2 11:19:22 2007 Subject: [LARTC] Allocating 64 kbits/s out of 256 kbits/s for one LAN behing firewall In-Reply-To: <7ed6b0aa0708020218s31b0448cxb8ec8d7147173cac@mail.gmail.com> References: <7ed6b0aa0708020218s31b0448cxb8ec8d7147173cac@mail.gmail.com> Message-ID: <7ed6b0aa0708020218j7131222cqe38d0c05ab59d504@mail.gmail.com> Hi, We have a 256 kbits/s (kilobits per second) link to the internet. it is a router running Linux that belongs to our ISP. They have given us 8 internet ips. (i.e- subnet is 255.255.255.248 ). one has been given to this router. I have given another internet ip to the firewall running CentOS 4.5. iptables is running on it. And also, I have installed iproute2 pkg as well. pls see below for installed pkgs. [root@firebox ~]# rpm -qa |grep iptables iptables-1.2.11-3.1.RHEL4 [root@firebox ~]# rpm -qa |grep iproute iproute-2.6.9-3.EL4.3.centos4 This firewall has 3 ethernet cards at the moment. one is connected to router. one is connected to our DMZ zone. one is connected to LAN1. These are ips of the firewall. eth0 (internet) - 1.2.3.4/255.255.255.248 (pls assume it. For security reason, I will not give you the actual ip) eth1 (DMZ Zone) - 192.168.100.254/255.255.255.0 eth2 (LAN1) - 192.168.101.254/255.255.255.0 Now, everyone in LAN1 has access to internet. (due to SNAT rule) Now, I want to install another ethernet card to this firewall. then, it would be eth3. eth3 will be as follows. eth3 (LAN2) - 192.168.102.254/255.255.255.0 Now, I want put about 5 people (5 PCs) behind this LAN2 and give internet access to them. But, I do not want them to use my whole bandwidth ( i.e - 256 kbit/s), But Instead, I want peple behind this LAN2 to allocate 64 kbits/s (kilo bits per second) for their internert access. Is it possible to acheive this task on firewall running iptables and iproute2 (CentOS 4.5) ? If so, How can I do such thing? If I do such thing, what will happen to the people behind LAN1 ? Will they get whole 256 kbits/s as before or will they get 256 kbit/s - 64 kbit/s for their internet access? Hope to hear form you. -- Thank you Indunil Jayasooriya -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070802/2411dc2b/attachment.html From stonie.cooper at planetarydata.com Thu Aug 2 14:53:24 2007 From: stonie.cooper at planetarydata.com (Stonie Cooper) Date: Thu Aug 2 14:53:40 2007 Subject: [LARTC] tc shown rate larger than ceil (was "Weird rate in HTB") In-Reply-To: <46B0FA99.9010106@andyfurniss.entadsl.com> References: <1CF9BE07-1FA5-486B-A7B6-792B41EA03CC@planetarydata.com> <46B0D44E.20903@andyfurniss.entadsl.com> <75892480-52C4-4655-B07F-77CFA19056FF@planetarydata.com> <46B0FA99.9010106@andyfurniss.entadsl.com> Message-ID: <1B63E656-A54B-4218-AFE5-95A2DB89665D@planetarydata.com> Andy - I spoke too soon; there were evidently just a few giants left in the queue when I did the change. After an hour, all giants ceased. Thanks again - it works much better now. Stone On Aug 1, 2007, at 4:26 PM, Andy Furniss wrote: > Stonie Cooper wrote: >> Andy - Thanks! >> I took the ethtool path, and turned off tcp segmentation on that >> nic; I was unsure how to set the HTB MTU - I use shorewall on a >> Gentoo system. > > I think you would need to find each line with a rate in the script > and add mtu X - I don't know what X would be, though. > >> It has definitely made a difference. The highest rate I see is >> 282312bits on a line with a ceil of 282000bits - and that is with >> 24pps, which, according to your previous email . . . would be >> right in line with what it should be. > > If you are shaping for a wan then I would turn off tso rather than > use mtu. It should be better for latency as a big chunk of data is > going to take more time to be transmitted and hurt interactive > traffic. I can't imagine it being very good to effectively drop > multiple segments at once either - but then shorewall may not setup > with queues short enough to get drops. > >> Giants have fallen off, but are not completely eliminated. Is >> this something I should be concerned with (having giants)? > > As long as there aren't many I wouldn't care - I don't know why you > still see them, though. I haven't got any nics that do tso so can't > test. > > Would setting the >> HTB MTU be more elegant? I have avoided creating my own tc >> script, and have been using shorewall's internals . . . but if >> utilizing the HTB MTU setting is "better", I will dive in and try >> to write a script that does the same thing as shorewall. > > You would also loose some accuracy in the rate lookup tables if you > used mtu 16,32,64 etc. bytes depending on how big an mtu you needed > to use. > > If you have a slow dsl link and really care about latency or not > having to back off from it's rate, then there are other ways to > tweak things. They involve patching and recompiling kernel/tc. > > Andy. From anilth at hi.is Thu Aug 2 15:18:24 2007 From: anilth at hi.is (Anil Thapa) Date: Thu Aug 2 15:18:37 2007 Subject: [LARTC] newbiew required some help In-Reply-To: <46AF4826.40400@oldum.net> References: <46ADCE10.6080906@bristol.ac.uk> <20070730121432.GB30519@toroid.org> <46ADE4A6.1020808@bristol.ac.uk> <20070730132641.GA4732@toroid.org> <46ADE943.5090504@bristol.ac.uk> <20070730134354.GA4889@toroid.org> <46ADEE68.70501@bristol.ac.uk> <20070730141028.GF20842@nyx> <46AEEBCF.70700@oldum.net> <46AF02C9.8030309@bristol.ac.uk> <46AF0823.3050404@oldum.net> <46AF0A2E.3060207@bristol.ac.uk> <46AF1C07.9030206@oldum.net> <46AF412A.9000200@bristol.ac.uk> <46AF4826.40400@oldum.net> Message-ID: <002401c7d507$9add4bf0$d097e3d0$@is> Hello all, Perhaps this is very easy but i have no idea how to do this. Anyway I have two linux servers (Redhat ent5) with 1gps switch. How can i monitor the bandwidth uses between them? Or are there any tool that i can use to observe this ? i understand if it were a managable switch then it might be possible. In this case this 1Gbps is unmanage switch. Any idea or suggestion woul be helpful. \\AT From dagarwal at juniper.net Fri Aug 3 03:19:33 2007 From: dagarwal at juniper.net (Deepak Agarwal) Date: Fri Aug 3 03:20:04 2007 Subject: [LARTC] filter hashkey without match Message-ID: <36586775D676C443A856A0068352664902CD2D8B@gaugeboson.jnpr.net> Hi, I need to set filter-hash and use source-port as hashkey. It seems that I can't use "hashkey" without using "match". I am using following commands: tc qdisc add ... root handle 1:0 htb # Loop to add 1000 classes (i = 1 to 1000) tc class add ... parent 1:0 classid 1:$i #set filters tc filter add ... protocol ip parent 1:0 u32 tc filter add ... protocol ip parent 1:0 handle 2: u32 divisor 256 # Loop to add 1000 filter: one for each class # $p is for port; $b is the bucket id (0 to 256); $f is for classid (1 to 1000) tc filter add ... parent 1:0 u32 match ip sport $p 0xffff ht 2:$b: flowid 1:$f #hashkey tc filter add ... protocol ip parent 1:0 u32 hashkey mask 0xffff at 20 link 2: Problem is the last command. I want to match all the traffic coming to the interface and use lower-order of the source-port to decide the filter-bucket. When I run the last command, it throws an error: RTNETLINK answers: Invalid argument We have an error talking to the kernel Do we need to necessarily use "match ip .." before using "hashkey"? If so, how do I match all the traffic? Thanks for the help, deepak -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070803/fad45e5b/attachment.htm From ams at toroid.org Fri Aug 3 03:26:23 2007 From: ams at toroid.org (Abhijit Menon-Sen) Date: Fri Aug 3 03:26:28 2007 Subject: [LARTC] deleting filters Message-ID: <20070803012623.GA24947@toroid.org> Is the only way to identify a filter to "tc filter del" by using its "pref" value? -- ams From dagarwal at juniper.net Fri Aug 3 04:41:56 2007 From: dagarwal at juniper.net (Deepak Agarwal) Date: Fri Aug 3 04:42:10 2007 Subject: [LARTC] deleting filters Message-ID: <36586775D676C443A856A0068352664902CD2D8C@gaugeboson.jnpr.net> You can selectively delete the filters. See this thread: http://mailman.ds9a.nl/pipermail/lartc/2004q3/013245.html - deepak -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070803/a412c51c/attachment.html From codemonkeys at gmail.com Fri Aug 3 09:58:13 2007 From: codemonkeys at gmail.com (Nathan) Date: Fri Aug 3 09:58:37 2007 Subject: [LARTC] u32 filter for payload Message-ID: I was wondering with the current u32 filter implementation, is there a way to get beyond the tcp header to the packet payload to filter upon that? Any help is very much appreciated. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070803/ea3b4621/attachment.htm From sunnyboyfrank at web.de Fri Aug 3 10:49:19 2007 From: sunnyboyfrank at web.de (Frank Remetter) Date: Fri Aug 3 10:49:21 2007 Subject: [LARTC] filter hashkey without match In-Reply-To: <36586775D676C443A856A0068352664902CD2D8B@gaugeboson.jnpr.net> References: <36586775D676C443A856A0068352664902CD2D8B@gaugeboson.jnpr.net> Message-ID: <20070803104919.491987d3@ocean.remetter.homelinux.org> Hey, > how do I match all the traffic? $TC filter add dev $DEV protocol ip parent 1:0 prio 10 \ u32 match u32 0 0 flowid X:XX Regards -- Frank Remetter http://www.remetter.de/ GPG-FP: 2B07 B7D8 5C27 AB94 7A37 8B0B DEBE DD89 D68B 7BE6 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070803/228e32ba/signature.pgp From jonathan.gazeley at bristol.ac.uk Fri Aug 3 17:11:18 2007 From: jonathan.gazeley at bristol.ac.uk (Jonathan Gazeley) Date: Fri Aug 3 17:11:27 2007 Subject: [LARTC] Re: tc n00b In-Reply-To: <467961.71469.qm@web27611.mail.ukl.yahoo.com> References: <467961.71469.qm@web27611.mail.ukl.yahoo.com> Message-ID: <46B34596.60306@bristol.ac.uk> Hi Nikolay, Thanks very much for your help - the script is now working. The downlink shaping works as expected, but the uplink shaping seems to give 4 times more bandwidth than it ought to - so I've just divided the number by 4 and it is satisfactory. However, I've now discovered that pings from one of my shaped NAT clients, to another LAN machine that usually take <1ms, now take ~3500ms when I am using the bandwidth. How can I avoid these enormous queues? I have cc'd the list in case anyone else has an idea. Have a good weekend everyone! Cheers, Jonathan ------------------------ Jonathan Gazeley Wireless & VPN Team Information Systems & Computing University of Bristol ------------------------ Nikolay Kichukov wrote: > Hey, > sorry for delay. I had some issues with my primary > internet connection and had to change the primary mail > host as well. > > I looked at the script. > > Looks totally fine to me. > > If you are not sure where exactly the problem lies, > try adding ONLY the ingress rules. Test it, see if it > works. Then tweak if needed the script you sent to me. > > tc qdisc add dev $LAN ingress handle ffff: > tc filter add dev eth0 parent ffff: protocol ip prio 2 > u32 match ip src IPHERE police rate ${UPLINK}kbit > burst 16kb drop flowid ffff: > > Cheers, > -Nik From stonie.cooper at planetarydata.com Fri Aug 3 23:54:48 2007 From: stonie.cooper at planetarydata.com (Stonie Cooper) Date: Fri Aug 3 23:54:55 2007 Subject: [LARTC] tc class show - leaf? Message-ID: <01973398-79F1-4EE1-A084-64BF571430F5@planetarydata.com> Is there a way of pulling individual leaf nodes out of the tc -s class show dev command? Say, similar to: tc -s class show dev eth0 parent 1:1 except for an individual leaf: tc -s class show dev eth0 leaf 1:12 Or, better year, is there a way to log or store statistics, so that you can pull up such things as max rate, max pps, max backlog, etc. - not just the instantaneous output from the above? Stone From mangalregmi at yahoo.com Sun Aug 5 11:31:23 2007 From: mangalregmi at yahoo.com (mangal regmi) Date: Sun Aug 5 11:31:46 2007 Subject: [LARTC] plzz help..me Message-ID: <45639.36291.qm@web50603.mail.re2.yahoo.com> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: mail Type: application/octet-stream Size: 1231 bytes Desc: 1709111838-mail Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070805/591ee09d/mail.obj From indunil75 at gmail.com Mon Aug 6 09:05:47 2007 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Mon Aug 6 09:06:13 2007 Subject: [LARTC] Allocating 64 kbits/s out of 256 kbits/s for one LAN behingfirewall In-Reply-To: References: <7ed6b0aa0708020218j7131222cqe38d0c05ab59d504@mail.gmail.com> Message-ID: <7ed6b0aa0708060005w14d11cfdq9482d0c2eaba562f@mail.gmail.com> Hi, Thanks for your script. I am still a newbie to this traffic control. I have only done polcy routing with iproute2. I was thinking how to write this script. You have already given a start. I have been reading Below URLs. http://lartc.org/howto/lartc.qdisc.classful.html http://edseek.com/~jasonb/articles/traffic_shaping/linuxtc.html http://tldp.org/HOWTO/Traffic-Control-HOWTO/index.html http://edseek.com/~jasonb/articles/traffic_shaping/classes.html#qdiscex But, I still find it dificult to understand fully. Hey, shall We disculls the script you wrote below . I understand below 4 rules. last rule marks 192.168.102.0/24 traffic as 5 > > INTERFAZ_INT=eth0 > > BAND=256 > > BAND_CLIENTS=64 > > iptables -t mangle -A PREROUTING -s 192.168.102.0/24 -j MARK --set-mark > 0x5 > But, I do not understand below rules. shall we discuss one by one. > tc qdisc add dev $INTERFAZ_INT root handle 1 htb r2q 4 > the above rule adds a qdisc to internet interace. what is r2q ad 4 there ?. I do not understand those two. > tc class add dev $INTERFAZ_INT parent 1: classid 1:2 htb rate "$BAND"Kbit > FULL bandwidth with above rule. tc class add dev $INTERFAZ_INT parent 1: classid 1:5 htb rate > "$BAND_CLIENTS"Kbit > and 64 kbit with above with above rule. tc qdisc add dev $INTERFAZ_INT parent 1:5 handle 5 sfq perturb 10 > What is this above rule?, I don not understand at all. tc filter add dev $INTERFAZ_INT protocol ip parent 1: pref 1 handle 10 fw > classid 1:5 > I do not understand the above rule too. hope to hear from you. Feel free to ask to me what you wish. > THAKS for above comment. Regards > > Paolo Malfatti > > > ------------------------------ > From: *"Indunil Jayasooriya" * > To: *lartc@mailman.ds9a.nl* > Subject: *[LARTC] Allocating 64 kbits/s out of 256 kbits/s for one LAN > behingfirewall* > Date: *Thu, 2 Aug 2007 14:48:55 +0530* > > > Hi, > > We have a 256 kbits/s (kilobits per second) link to the internet. it is a > router running Linux that belongs to our ISP. They have given us 8 internet > ips. (i.e- subnet is > 255.255.255.248 > ). one has been given to this router. I have given another internet ip to > the firewall running CentOS 4.5. iptables is running on it. And also, I > have installed iproute2 pkg as well. > > pls see below for installed pkgs. > > [root@firebox ~]# rpm -qa |grep iptables > iptables-1.2.11-3.1.RHEL4 > [root@firebox ~]# rpm -qa |grep iproute > iproute-2.6.9-3.EL4.3.centos4 > > > This firewall has 3 ethernet cards at the moment. one is connected to > router. one is connected to our DMZ zone. one is connected to LAN1. > > These are ips of the firewall. > > eth0 (internet) - > 1.2.3.4/255.255.255.248 (pls assume it. For security reason, I will not > give you the actual ip) > eth1 (DMZ Zone) - > 192.168.100.254/255.255.255.0 > eth2 (LAN1) - > 192.168.101.254/255.255.255.0 > > Now, everyone in LAN1 has access to internet. (due to SNAT rule) > > Now, I want to install another ethernet card to this firewall. then, it > would be eth3. > > eth3 will be as follows. > > > eth3 (LAN2) - 192.168.102.254/255.255.255.0 > > Now, I want put about 5 people (5 PCs) behind this LAN2 and give internet > access to them. But, I do not want them to use my whole bandwidth ( > i.e - 256 kbit/s), But Instead, I want peple behind this LAN2 to allocate > 64 kbits/s (kilo bits per second) for their internert access. > > Is it possible to acheive this task on firewall running iptables and > iproute2 (CentOS 4.5) ? > > If so, How can I do such thing? > > If I do such thing, what will happen to the people behind LAN1 ? Will they > get whole 256 kbits/s as before or will they get 256 kbit/s - 64 kbit/s for > their internet access? > > > > Hope to hear form you. > > > > > > > > > > > -- > Thank you > Indunil Jayasooriya > > > -- > Thank you > Indunil Jayasooriya > > >_______________________________________________ > >LARTC mailing list > >LARTC@mailman.ds9a.nl > >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > ------------------------------ > Las mejores tiendas, los precios mas bajos, entregas en todo el mundo, > YupiMSN Compras: Haz clic aqu?... -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070806/0c2c2a0e/attachment.htm From Jon.J.Flechsenhaar at boeing.com Tue Aug 7 01:07:39 2007 From: Jon.J.Flechsenhaar at boeing.com (Flechsenhaar, Jon J) Date: Tue Aug 7 01:07:49 2007 Subject: [LARTC] Marking and remarking of incoming traffic Message-ID: <0E24ED2A7F9AA349A8633E6A56A64BE0027A8409@XCH-SW-2V1.sw.nos.boeing.com> I can use DSMARK to mark on the Egress side. Is there a way to mark/change the DSCP value of an incoming packet on the ingress side? Thanks. Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7 From tenos at ll.mit.edu Tue Aug 7 01:42:10 2007 From: tenos at ll.mit.edu (Tim Enos) Date: Tue Aug 7 01:42:30 2007 Subject: [LARTC] Marking and remarking of incoming traffic In-Reply-To: <0E24ED2A7F9AA349A8633E6A56A64BE0027A8409@XCH-SW-2V1.sw.nos.boeing.com> Message-ID: <200708062342.l76NgOll016881@ll.mit.edu> Hi Jon, You can use iptables to mark/change the DSCP value of an incoming packet on the ingress side. An example is below (where $in_dev can be whatever your input interface is): ip tables -t mangle -A FORWARD -i $in_dev -p tcp --ports 80 -j DSCP --set-dscp-class BE Basically the above example (re)marks all www traffic (meant to be forwarded through this node) entering via $in_dev to BE. There is a decent (IMO) manpage for iptables (there are too many permutations/combinations of options to list here). > -----Original Message----- > From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] > On Behalf Of Flechsenhaar, Jon J > Sent: Monday, August 06, 2007 7:08 PM > To: LARTC@mailman.ds9a.nl > Subject: [LARTC] Marking and remarking of incoming traffic > > I can use DSMARK to mark on the Egress side. Is there a way to > mark/change the DSCP value of an incoming packet on the ingress side? > Thanks. > > > Jon Flechsenhaar > Boeing WNW Team > Network Services > (714)-762-1231 > 202-E7 > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From jonathan.gazeley at bristol.ac.uk Tue Aug 7 13:15:52 2007 From: jonathan.gazeley at bristol.ac.uk (Jonathan Gazeley) Date: Tue Aug 7 13:16:13 2007 Subject: [LARTC] Classful queues Message-ID: <46B85468.7000807@bristol.ac.uk> Dear all, I am trying to set up multi-user traffic control. In short, I want each user to be hard limited to 128kbit download and 64kbit upload. On top of that, I want interactive traffic (ICMP, ACK packets, SSH, etc) to be prioritised to minimise latency. It sounds like it ought to be done with a classful qdisc but I don't really know what I'm doing. I think I want something like the following: root class | + 192.168.0.1 class | + priority 0: SSH, ICMP, ACK, etc | + priority 1: all other traffic | + 192.168.0.2 class + etc I'm not sure if it's good to have ~250 classes for the IP addresses, and sub classes within those for the different priorities, or if all the traffic should be rate-limited by IP first, and then sorted into a handful of shared classes, to be dequeued. I have taken advice from this list for the past couple of weeks and I have a semi functional script now. However the latency suddenly jumps to >4000ms as soon as the user starts downloading. Also my script uses police rate to limit upload speed - but this is not particularly effective and also not really required, as the box is able to shape traffic in both directions. It is also a NAT box. Related, not but strictly to do with tc, is there any way of concisely and effectively logging connections between NATd users and external IPs? I need to be able to maintain a log which tells me that a certain user was connected to a certain remote host on port 1234 at a certain time and date, for legal reasons. I realise this is a bit of a mammoth request, but I hope someone can help me. Many thanks in advance, Jonathan ------------------------ Jonathan Gazeley ResNet | Wireless & VPN Team Information Systems & Computing University of Bristol ------------------------ From indunil75 at gmail.com Wed Aug 8 09:00:59 2007 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Wed Aug 8 09:01:40 2007 Subject: [LARTC] Allocating 64 kbits/s out of 256 kbits/s for one LAN behingfirewall In-Reply-To: References: <7ed6b0aa0708060005w14d11cfdq9482d0c2eaba562f@mail.gmail.com> Message-ID: <7ed6b0aa0708080000u6a2a91d9n502b3b008dc2097@mail.gmail.com> Hi Paolo Malfatti, Thanks for your script. I tried it . But I still can not allocate 64 kbit for LAN. We have a 256 kbit link. We usually download around @ 30-33 kbytes per second. That means, when it comes to kbits, I will have to mulitple it in to 8 as 1kbps=8kbit . pls see below for usual download rate, before applying your rules. [root@worldnet wget]# wget http://mirrors.kernel.org/centos/5.0/isos/i386/CentOS-5.0-i386-bin-6of6.iso --12:16:27-- http://mirrors.kernel.org/centos/5.0/isos/i386/CentOS-5.0-i386-bin-6of6.iso => `CentOS-5.0-i386-bin-6of6.iso.1' Resolving mirrors.kernel.org... 204.152.191.7, 204.152.191.39 Connecting to mirrors.kernel.org|204.152.191.7|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 407,005,184 (388M) [application/x-iso9660-image] 0% [ ] 2,749,752 30.10K/s ETA 4:43:0 Then, I applied your rules. pls see below INTERFAZ_INT=eth0 FULLBANDWIDTH=256 BANDWIDTH4LAN=64 iptables -t mangle -A PREROUTING -s 192.168.101.0/24-j MARK --set-mark 0x5 tc qdisc add dev $INTERFAZ_INT root handle 1 htb r2q 4 tc class add dev $INTERFAZ_INT parent 1: classid 1:2 htb rate "$FULLBANDWIDTH"Kbit tc class add dev $INTERFAZ_INT parent 1: classid 1:5 htb rate "$BANDWIDTH4LAN"Kbit tc qdisc add dev $INTERFAZ_INT parent 1:5 handle 5 sfq perturb 10 tc filter add dev $INTERFAZ_INT protocol ip parent 1: pref 1 handle 5 fw classid 1:5 Still no luck. after applying rules, I downloaded an centos ISO image. But , I still can download @ usual rate. (i.e 30-33 kbytes per seconds). If your rules work, I will be able to download @ about 8 kbyes per second. ( i.e - 8*8 kbit= 64 kbit) That is what I expect ? Where have I gone wrong? On 8/7/07, Pio Mendez wrote: > > >What is r2q ad 4 there ?. I do not understand those two. > I recommend you to read this: > > > http://luxik.cdi.cz/~devik/qos/htb/ > > > the r2q is a divisor used to calculate the quantum of htb (the amount of > bytes that will be transmitted before serving another class: quantum = rate > / r2q). > > >tc qdisc add dev $INTERFAZ_INT parent 1:5 handle 5 sfq perturb 10 > >What is this above rule?, I don not understand at all. > a must: http://lartc.org/howto/lartc.qdisc.html > > The classes do shape of traffic, but you need a Queue manager to trasmit > it (qdisc rule). Here you will find an example of HTB script: > http://lartc.org/howto/lartc.qdisc.classful.html#AEN1072 > > >tc filter add dev $INTERFAZ_INT protocol ip parent 1: pref 1 handle 10 fw > classid 1:5 > >I do not understand the above rule too. > > there is an error: the right filter rule is: > tc filter add dev $INTERFAZ_INT protocol ip parent 1: pref 1 handle 5 fw > classid 1:5 > > The filter rule filter the traffic and send the mathing packets to the > right class. > The iptables MARK rule mark the traffic before the SNAT. Later, after all > iptables processing, the packets are filtered by this rule; if some packet > match the "handle 5" filter (packet marked with 5 by the iptables rule will > > match) then it will be shaped by htb class to 64kbps. > > Hope this will help > Regards > Paolo Malfatti > > > ------------------------------ > MSN Amor Busca tu ? naranja -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070808/938f7631/attachment.html From m.magua at gmail.com Thu Aug 9 15:05:08 2007 From: m.magua at gmail.com (Michael Magua) Date: Thu Aug 9 15:05:29 2007 Subject: [LARTC] Problem with packet mangling over 2 links Message-ID: <56c5a2cf0708090605v62fbfa96rfef4f9e0216c7ea5@mail.gmail.com> Hi I have a strange problem. I have a firewall with 3 nics. 1 - lan 2 - leased line or diginet 3 - connected to adsl modem I have 2 tables in defined in /etc/iproute2/rt_tables: 200 diginet 201 adsl The ADSL modem has an IP of 192.168.0.1 and is configured to initiate the PPPOE connection. I can mark packets within the network destined for port 80 successfully: ip ro add default via x.x.x.x table diginet #where x.x.x.x is the ip of the cisco router ip route add default via 192.168.0.1 dev eth2 table adsl ip ru add fwmark 2 table adsl ip ro fl ca echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -j MARK --set-mark 2 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT That all works and if i do a tcpdump on eth2 I can see packets for web traffic going out via ADSL. The problem: If I configure the ADSL modem to no longer make the PPPOE connection but let the firewall do it i.e pppoe-setup / pppoe then it doesn't work. Here's the relevant netfilter and iproute2 steps I did. ip ro add default via x.x.x.x table diginet #where x.x.x.x is the ip of the cisco router ip ro add dev ppp0 table adsl ip ro add default via x.x.x.x table adsl #where x.x.x.x is the p-t-p addr from the output of ifconfig ppp0 ip ru add fwmark 2 table adsl ip ro fl ca echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -j MARK --set-mark 2 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT I have also set DEFROUTE=no and PEERDNS=no in /etc/ppp/pppoe.conf as the diginet is still the default route but I only want web traffic out on ADSL. Some output from tcpdump showing this doesn't work: [root@firewall ~]# tcpdump -i eth0 port 80 -nn tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 07:43:59.501397 IP 192.168.1.222.2867 > 66.249.93.104.80: S 2326997538:2326997538(0) win 5840 07:44:02.495748 IP 192.168.1.222.2867 > 66.249.93.104.80: S 2326997538:2326997538(0) win 5840 07:44:08.496618 IP 192.168.1.222.2867 > 66.249.93.104.80: S 2326997538:2326997538(0) win 5840 07:44:20.498324 IP 192.168.1.222.2867 > 66.249.93.104.80: S 2326997538:2326997538(0) win 5840 If anyone can shed some light on what I'm doing wrong or missing I'd really appreciate it. Michael From Jon.J.Flechsenhaar at Boeing.com Thu Aug 9 19:16:04 2007 From: Jon.J.Flechsenhaar at Boeing.com (Flechsenhaar, Jon J) Date: Thu Aug 9 19:16:19 2007 Subject: [LARTC] Marking and remarking of incoming traffic In-Reply-To: <200708071507.l77F7Xqi019481@ll.mit.edu> References: <0E24ED2A7F9AA349A8633E6A56A64BE0027A840B@XCH-SW-2V1.sw.nos.boeing.com> <200708071507.l77F7Xqi019481@ll.mit.edu> Message-ID: <0E24ED2A7F9AA349A8633E6A56A64BE0027A841A@XCH-SW-2V1.sw.nos.boeing.com> It looks like some support for this command is not functioning correctly. --set-dscp value Set DSCP field in packet header to value This value can be in decimal (ex: 32) or in hex (ex: 0x20) --set-dscp-class class Set the DSCP field in packet header to the value represented by the DiffServ class value. This class may be EF,BE or any of the CSxx or AFxx classes. Am I typing something wrong here? 1.) // This works fine iptables -t mangle -A FORWARD -p udp --sport 2000 -s 192.85.3.1/24 --j DSCP --set-dscp-class AF31 2.) //This doesn't work iptables -t mangle -A FORWARD -p udp --sport 2000 -s 192.85.3.1/24 --j DSCP --set-dscp 0x20 ERROR: iptables: Bad rule (does a matching rule exist in that chain?) // There is no existing rule iptables -t mangle -A FORWARD -p udp --sport 2000 -m iprange --src-range 192.85.3.1 --j DSCP --set-dscp 0x68 //should be equivalent to AF31 above ERROR: iptables v1.3.5: DSCP `104` out of range // it looks like I should be able to use hex values but it doesn't seem to work 3.) //doesn't work iptables -t mangle -A FORWARD -p udp --sport 2000 -s 192.85.3.1/24 --j DSCP --set-dscp-class CSxx // I can't seem to figure out what should go after the Class Selector "CS" Any help on this issue would be appreciated. Thanks. Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7 -----Original Message----- From: Tim Enos [mailto:tenos@ll.mit.edu] Sent: Tuesday, August 07, 2007 7:34 AM To: Flechsenhaar, Jon J Subject: RE: [LARTC] Marking and remarking of incoming traffic It has convenient keywords (hence the --set-dscp-class option) and individual DSCP values that can be set (if memory serves me, they can be set in either hex or decimal). It might be useful (for the connection-oriented traffic anyhow) to (re)mark traffic based upon the setting of the ECN bits. In any case, I too was glad to see DSCP could be specified (especially since ceteris paribus the DSCP markings of traffic coming into a DS domain are not trusted by it). > -----Original Message----- > From: Flechsenhaar, Jon J [mailto:Jon.J.Flechsenhaar@boeing.com] > Sent: Monday, August 06, 2007 8:01 PM > To: Tim Enos > Subject: RE: [LARTC] Marking and remarking of incoming traffic > > Thanks. I saw that command but I was looking at the TOS parameters. > Didn't realize that there were also DSCP values. > > > Jon Flechsenhaar > Boeing WNW Team > Network Services > (714)-762-1231 > 202-E7 > > -----Original Message----- > From: Tim Enos [mailto:tenos@ll.mit.edu] > Sent: Monday, August 06, 2007 4:42 PM > To: LARTC@mailman.ds9a.nl > Subject: RE: [LARTC] Marking and remarking of incoming traffic > > Hi Jon, > > You can use iptables to mark/change the DSCP value of an incoming > packet on the ingress side. An example is below (where $in_dev can be > whatever your input interface is): > > ip tables -t mangle -A FORWARD -i $in_dev -p tcp --ports 80 -j DSCP > --set-dscp-class BE > > Basically the above example (re)marks all www traffic (meant to be > forwarded through this node) entering via $in_dev to BE. > > There is a decent (IMO) manpage for iptables (there are too many > permutations/combinations of options to list here). > > > -----Original Message----- > > From: lartc-bounces@mailman.ds9a.nl > > [mailto:lartc-bounces@mailman.ds9a.nl] > > On Behalf Of Flechsenhaar, Jon J > > Sent: Monday, August 06, 2007 7:08 PM > > To: LARTC@mailman.ds9a.nl > > Subject: [LARTC] Marking and remarking of incoming traffic > > > > I can use DSMARK to mark on the Egress side. Is there a way to > > mark/change the DSCP value of an incoming packet on the ingress side? > > Thanks. > > > > > > Jon Flechsenhaar > > Boeing WNW Team > > Network Services > > (714)-762-1231 > > 202-E7 > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From Jon.J.Flechsenhaar at boeing.com Thu Aug 9 21:08:06 2007 From: Jon.J.Flechsenhaar at boeing.com (Flechsenhaar, Jon J) Date: Thu Aug 9 21:08:23 2007 Subject: [LARTC] Marking and remarking of incoming traffic In-Reply-To: <0E24ED2A7F9AA349A8633E6A56A64BE0027A841A@XCH-SW-2V1.sw.nos.boeing.com> References: <200708071507.l77F7Xqi019481@ll.mit.edu> <0E24ED2A7F9AA349A8633E6A56A64BE0027A841A@XCH-SW-2V1.sw.nos.boeing.com> Message-ID: <0E24ED2A7F9AA349A8633E6A56A64BE0027A841C@XCH-SW-2V1.sw.nos.boeing.com> UPDATE: iptables -t mangle -A FORWARD -p udp --sport 2000 -s 192.85.3.1/24 --j DSCP --set-dscp-class CS20 I GOT THIS TO WORK. 10=0x20 20=0x40 30=0x60 40=0x80 50=0xa0 60=0xc0 70=0xe0 I still can't enter a DSCP hex value though. Just the equivalent word value. So AF31 works but 0x68 doesn't. Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7 -----Original Message----- From: Flechsenhaar, Jon J Sent: Thursday, August 09, 2007 10:16 AM To: LARTC@mailman.ds9a.nl Subject: RE: [LARTC] Marking and remarking of incoming traffic It looks like some support for this command is not functioning correctly. --set-dscp value Set DSCP field in packet header to value This value can be in decimal (ex: 32) or in hex (ex: 0x20) --set-dscp-class class Set the DSCP field in packet header to the value represented by the DiffServ class value. This class may be EF,BE or any of the CSxx or AFxx classes. Am I typing something wrong here? 1.) // This works fine iptables -t mangle -A FORWARD -p udp --sport 2000 -s 192.85.3.1/24 --j DSCP --set-dscp-class AF31 2.) //This doesn't work iptables -t mangle -A FORWARD -p udp --sport 2000 -s 192.85.3.1/24 --j DSCP --set-dscp 0x20 ERROR: iptables: Bad rule (does a matching rule exist in that chain?) // There is no existing rule iptables -t mangle -A FORWARD -p udp --sport 2000 -m iprange --src-range 192.85.3.1 --j DSCP --set-dscp 0x68 //should be equivalent to AF31 above ERROR: iptables v1.3.5: DSCP `104` out of range // it looks like I should be able to use hex values but it doesn't seem to work 3.) //doesn't work iptables -t mangle -A FORWARD -p udp --sport 2000 -s 192.85.3.1/24 --j DSCP --set-dscp-class CSxx // I can't seem to figure out what should go after the Class Selector "CS" Any help on this issue would be appreciated. Thanks. Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7 -----Original Message----- From: Tim Enos [mailto:tenos@ll.mit.edu] Sent: Tuesday, August 07, 2007 7:34 AM To: Flechsenhaar, Jon J Subject: RE: [LARTC] Marking and remarking of incoming traffic It has convenient keywords (hence the --set-dscp-class option) and individual DSCP values that can be set (if memory serves me, they can be set in either hex or decimal). It might be useful (for the connection-oriented traffic anyhow) to (re)mark traffic based upon the setting of the ECN bits. In any case, I too was glad to see DSCP could be specified (especially since ceteris paribus the DSCP markings of traffic coming into a DS domain are not trusted by it). > -----Original Message----- > From: Flechsenhaar, Jon J [mailto:Jon.J.Flechsenhaar@boeing.com] > Sent: Monday, August 06, 2007 8:01 PM > To: Tim Enos > Subject: RE: [LARTC] Marking and remarking of incoming traffic > > Thanks. I saw that command but I was looking at the TOS parameters. > Didn't realize that there were also DSCP values. > > > Jon Flechsenhaar > Boeing WNW Team > Network Services > (714)-762-1231 > 202-E7 > > -----Original Message----- > From: Tim Enos [mailto:tenos@ll.mit.edu] > Sent: Monday, August 06, 2007 4:42 PM > To: LARTC@mailman.ds9a.nl > Subject: RE: [LARTC] Marking and remarking of incoming traffic > > Hi Jon, > > You can use iptables to mark/change the DSCP value of an incoming > packet on the ingress side. An example is below (where $in_dev can be > whatever your input interface is): > > ip tables -t mangle -A FORWARD -i $in_dev -p tcp --ports 80 -j DSCP > --set-dscp-class BE > > Basically the above example (re)marks all www traffic (meant to be > forwarded through this node) entering via $in_dev to BE. > > There is a decent (IMO) manpage for iptables (there are too many > permutations/combinations of options to list here). > > > -----Original Message----- > > From: lartc-bounces@mailman.ds9a.nl > > [mailto:lartc-bounces@mailman.ds9a.nl] > > On Behalf Of Flechsenhaar, Jon J > > Sent: Monday, August 06, 2007 7:08 PM > > To: LARTC@mailman.ds9a.nl > > Subject: [LARTC] Marking and remarking of incoming traffic > > > > I can use DSMARK to mark on the Egress side. Is there a way to > > mark/change the DSCP value of an incoming packet on the ingress side? > > Thanks. > > > > > > Jon Flechsenhaar > > Boeing WNW Team > > Network Services > > (714)-762-1231 > > 202-E7 > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From tenos at ll.mit.edu Thu Aug 9 21:16:47 2007 From: tenos at ll.mit.edu (Tim Enos) Date: Thu Aug 9 21:17:25 2007 Subject: [LARTC] Marking and remarking of incoming traffic In-Reply-To: <0E24ED2A7F9AA349A8633E6A56A64BE0027A841A@XCH-SW-2V1.sw.nos.boeing.com> Message-ID: <200708091917.l79JHDkP029931@ll.mit.edu> Hi Jon, Please see (hopefully correct and useful) comments in-line: > -----Original Message----- > From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] > On Behalf Of Flechsenhaar, Jon J > Sent: Thursday, August 09, 2007 1:16 PM > To: LARTC@mailman.ds9a.nl > Subject: RE: [LARTC] Marking and remarking of incoming traffic > > It looks like some support for this command is not functioning > correctly. > > --set-dscp value Set DSCP field in packet header to value > This value can be in decimal (ex: 32) > or in hex (ex: 0x20) > --set-dscp-class class Set the DSCP field in packet header to > the > value represented by the DiffServ class > value. > This class may be EF,BE or any of the > CSxx or AFxx classes. > > Am I typing something wrong here? > 1.) > // This works fine > iptables -t mangle -A FORWARD -p udp --sport 2000 -s 192.85.3.1/24 --j > DSCP --set-dscp-class AF31 > > 2.) > //This doesn't work > iptables -t mangle -A FORWARD -p udp --sport 2000 -s 192.85.3.1/24 --j > DSCP --set-dscp 0x20 > ERROR: iptables: Bad rule (does a matching rule exist in that chain?) > // There is no existing rule > iptables -t mangle -A FORWARD -p udp --sport 2000 -m iprange --src-range > 192.85.3.1 --j DSCP --set-dscp 0x68 //should be equivalent to AF31 above > ERROR: iptables v1.3.5: DSCP `104` out of range > // it looks like I should be able to use hex values but it doesn't seem > to work Don't consider the ECN bits when doing this calculation. AF31 looks like this: 011 010. In hex that would be 0x1a, as it is 26 in decimal notation. See RFC 2597, section 6, and the iptables man page which (at least in my case) includes text such as: " dscp This module matches the 6 bit DSCP field within the TOS field in the IP header. DSCP has superseded TOS within the IETF. --dscp value Match against a numeric (decimal or hex) value [0-32]." > > 3.) > //doesn't work > iptables -t mangle -A FORWARD -p udp --sport 2000 -s 192.85.3.1/24 --j > DSCP --set-dscp-class CSxx > // I can't seem to figure out what should go after the Class Selector > "CS" CS3 would probably be the best value to use if you're looking for the functional equivalent of AF31. Class Selector PHBs are meant to provide backwards-compatibility with ToS. There are eight possible values (CS0-CS7). RFC 2474 and the IANA registry http://www.iana.org/assignments/dscp-registry are good resources for this. > > Any help on this issue would be appreciated. Thanks. > > Jon Flechsenhaar > Boeing WNW Team > Network Services > (714)-762-1231 > 202-E7 > > -----Original Message----- > From: Tim Enos [mailto:tenos@ll.mit.edu] > Sent: Tuesday, August 07, 2007 7:34 AM > To: Flechsenhaar, Jon J > Subject: RE: [LARTC] Marking and remarking of incoming traffic > > It has convenient keywords (hence the --set-dscp-class option) and > individual DSCP values that can be set (if memory serves me, they can be > set in either hex or decimal). > > It might be useful (for the connection-oriented traffic anyhow) to > (re)mark traffic based upon the setting of the ECN bits. In any case, I > too was glad to see DSCP could be specified (especially since ceteris > paribus the DSCP markings of traffic coming into a DS domain are not > trusted by it). > > > -----Original Message----- > > From: Flechsenhaar, Jon J [mailto:Jon.J.Flechsenhaar@boeing.com] > > Sent: Monday, August 06, 2007 8:01 PM > > To: Tim Enos > > Subject: RE: [LARTC] Marking and remarking of incoming traffic > > > > Thanks. I saw that command but I was looking at the TOS parameters. > > Didn't realize that there were also DSCP values. > > > > > > Jon Flechsenhaar > > Boeing WNW Team > > Network Services > > (714)-762-1231 > > 202-E7 > > > > -----Original Message----- > > From: Tim Enos [mailto:tenos@ll.mit.edu] > > Sent: Monday, August 06, 2007 4:42 PM > > To: LARTC@mailman.ds9a.nl > > Subject: RE: [LARTC] Marking and remarking of incoming traffic > > > > Hi Jon, > > > > You can use iptables to mark/change the DSCP value of an incoming > > packet on the ingress side. An example is below (where $in_dev can be > > whatever your input interface is): > > > > ip tables -t mangle -A FORWARD -i $in_dev -p tcp --ports 80 -j DSCP > > --set-dscp-class BE > > > > Basically the above example (re)marks all www traffic (meant to be > > forwarded through this node) entering via $in_dev to BE. > > > > There is a decent (IMO) manpage for iptables (there are too many > > permutations/combinations of options to list here). > > > > > -----Original Message----- > > > From: lartc-bounces@mailman.ds9a.nl > > > [mailto:lartc-bounces@mailman.ds9a.nl] > > > On Behalf Of Flechsenhaar, Jon J > > > Sent: Monday, August 06, 2007 7:08 PM > > > To: LARTC@mailman.ds9a.nl > > > Subject: [LARTC] Marking and remarking of incoming traffic > > > > > > I can use DSMARK to mark on the Egress side. Is there a way to > > > mark/change the DSCP value of an incoming packet on the ingress > side? > > > Thanks. > > > > > > > > > Jon Flechsenhaar > > > Boeing WNW Team > > > Network Services > > > (714)-762-1231 > > > 202-E7 > > > > > > _______________________________________________ > > > LARTC mailing list > > > LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From indunil75 at gmail.com Fri Aug 10 13:14:43 2007 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Fri Aug 10 13:15:00 2007 Subject: [LARTC] Allocating 64 kbits/s out of 256 kbits/s for one LAN behingfirewall (SOLVED) Message-ID: <7ed6b0aa0708100414t78855ee8s348aceffce08a84@mail.gmail.com> Hi Paolo Malfatti, Thanks for your script. It works fine. I get what I expect. THANK you all the way until it comes to an end. FOR the benifit for evryone in the LIST. HERE IS the SCRIPT AGAIN. INTERFAZ_LAN=eth0 FULLBANDWIDTH=256 BANDWIDTH4LAN=64 tc qdisc del root dev $INTERFAZ_LAN tc qdisc add dev $INTERFAZ_LAN root handle 1 htb r2q 4 tc class add dev $INTERFAZ_LAN parent 1: classid 1:2 htb rate "$FULLBANDWIDTH"Kbit tc class add dev $INTERFAZ_LAN parent 1: classid 1:5 htb rate "$BANDWIDTH4LAN"Kbit tc qdisc add dev $INTERFAZ_LAN parent 1:5 handle 5 sfq perturb 10 tc filter add dev $INTERFAZ_LAN parent 1:0 protocol ip prio 1 u32 match ip dst 192.168.101.0/24 classid 1:5 On 8/8/07, Pio Mendez wrote: > > This script only shape the outgoing traffic (upload) in a NAT firewall. To > shape the incoming traffic (downloads) there is a simpler script: > > INTERFAZ_LAN=eth0 > > FULLBANDWIDTH=256 > > BANDWIDTH4LAN=64 > > tc qdisc del root dev $INTERFAZ_LAN > > tc qdisc add dev $INTERFAZ_LAN root handle 1 htb r2q 4 > tc class add dev $INTERFAZ_LAN parent 1: classid 1:2 htb rate > "$FULLBANDWIDTH"Kbit > tc class add dev $INTERFAZ_LAN parent 1: classid 1:5 htb rate > "$BANDWIDTH4LAN"Kbit > tc qdisc add dev $INTERFAZ_LAN parent 1:5 handle 5 sfq perturb 10 > tc filter add dev $INTERFAZ_LAN parent 1:0 protocol ip prio 1 u32 match ip > dst 192.168.101.0/24 classid 1:5 > > Regards > > Paolo Malfatti > > PS: dont forget to put a "tc qdisc del root dev $INTERFAZ_INT" rule at > the beginning of your previous script. > > > > ------------------------------ > From: *"Indunil Jayasooriya" * > To: *"Pio Mendez" , lartc@mailman.ds9a.nl* > Subject: *Re: [LARTC] Allocating 64 kbits/s out of 256 kbits/s for one > LAN behingfirewall* > Date: *Wed, 8 Aug 2007 12:30:59 +0530* > > Hi Paolo Malfatti, > > > Thanks for your script. I tried it . > > But I still can not allocate 64 kbit for LAN. We have a 256 kbit link. > We usually download around @ 30-33 kbytes per second. That means, when it > comes to kbits, I will have to mulitple it in to 8 as > 1kbps=8kbit . > > pls see below for usual download rate, before applying your rules. > > [root@worldnet wget]# wget http://mirrors.kernel.org/centos/5.0/isos/i386/CentOS-5.0-i386-bin-6of6.iso > > > --12:16:27-- > http://mirrors.kernel.org/centos/5.0/isos/i386/CentOS-5.0-i386-bin-6of6.iso > => `CentOS-5.0-i386-bin-6of6.iso.1 > ' > Resolving mirrors.kernel.org... 204.152.191.7, 204.152.191.39 > Connecting to mirrors.kernel.org|204.152.191.7|:80... connected. > HTTP request sent, awaiting response... 200 OK > > Length: 407,005,184 (388M) [application/x-iso9660-image] > > 0% > [ > ] 2,749,752 30.10K/s ETA 4:43:0 > > > Then, I applied your rules. pls see below > > > INTERFAZ_INT=eth0 > > FULLBANDWIDTH=256 > > BANDWIDTH4LAN=64 > > iptables -t mangle -A PREROUTING -s 192.168.101.0/24-j MARK --set-mark 0x5 > > tc qdisc add dev $INTERFAZ_INT root handle 1 htb r2q 4 > tc class add dev $INTERFAZ_INT parent 1: classid 1:2 htb rate > "$FULLBANDWIDTH"Kbit > tc class add dev $INTERFAZ_INT parent 1: classid 1:5 htb rate > "$BANDWIDTH4LAN"Kbit > > tc qdisc add dev $INTERFAZ_INT parent 1:5 handle 5 sfq perturb 10 > tc filter add dev $INTERFAZ_INT protocol ip parent 1: pref 1 handle 5 fw > classid 1:5 > > > Still no luck. after applying rules, I downloaded an centos ISO image. But > , I still can download @ usual rate. ( > i.e 30-33 kbytes per seconds). > > If your rules work, I will be able to download @ about 8 kbyes per second. > (i.e - 8*8 kbit= 64 kbit) > > That is what I expect ? > > Where have I gone wrong? > > > > > On 8/7/07, Pio Mendez wrote: > > > > >What is r2q ad 4 there ?. I do not understand those two. > I recommend you to read this: > > > http://luxik.cdi.cz/~devik/qos/htb/ > > > > > > the r2q is a divisor used to calculate the quantum of htb (the amount > of bytes that will be transmitted before serving another class: quantum = > rate / r2q). > > >tc qdisc add dev $INTERFAZ_INT parent 1:5 handle 5 sfq perturb 10 > >What is this above rule?, I don not understand at all. > a must: http://lartc.org/howto/lartc.qdisc.html > > The classes do shape of traffic, but you need a Queue manager to trasmit > it (qdisc rule). Here you will find an example of HTB script: > > http://lartc.org/howto/lartc.qdisc.classful.html#AEN1072 > > >tc filter add dev $INTERFAZ_INT protocol ip parent 1: pref 1 handle 10 > fw classid 1:5 > >I do not understand the above rule too. > > there is an error: the right filter rule is: > tc filter add dev $INTERFAZ_INT protocol ip parent 1: pref 1 handle 5 fw > classid 1:5 > > The filter rule filter the traffic and send the mathing packets to the > right class. > The iptables MARK rule mark the traffic before the SNAT. Later, after all > iptables processing, the packets are filtered by this rule; if some packet > match the "handle 5" filter (packet marked with 5 by the iptables rule will > > match) then it will be shaped by htb class to 64kbps. > > Hope this will help > Regards > Paolo Malfatti > > > ------------------------------ > MSN Amor Busca tu ? naranja > > > > > -- > Thank you > Indunil Jayasooriya > > > ------------------------------ > Charla con tus amigos en l?nea mediante MSN Messenger: Haz clic aqu? -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070810/ff7ee4c0/attachment.htm From pio_mendez at hotmail.com Sat Aug 11 00:10:53 2007 From: pio_mendez at hotmail.com (Pio Mendez) Date: Sat Aug 11 00:11:11 2007 Subject: [LARTC] Big Recv-Q Message-ID: An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070810/9511b0f4/attachment-0001.html From tami at disconnected.de Sat Aug 11 12:02:42 2007 From: tami at disconnected.de (Paul Zirnik) Date: Sat Aug 11 12:03:02 2007 Subject: [LARTC] disable TCP slowstart ? Message-ID: <200708111202.42986.tami@disconnected.de> Im trying to improve my internal apache proxy. It has to deliver a lot of little/medium sized files. But every transfer starts with the usual small window size. While this is good for internet connections it is not as good for only internal connections where the environment is sane. I have tryed to tune initial window size via /proc/sys/net/ipv4/tcp_congestion_control tryed already bic,highspeed and vegas. Some will increase the window size faster, but all start with same low window size. So i'm asking if there is a other way to eighter disable TCP slowstart completely or at least increase the inital window size. Thanks for any help,hint in the right direction. I know, this will only improve miliseconds per transfer, but it's worth a try. regards, Paul From lartc at manchotnetworks.net Sat Aug 11 15:58:17 2007 From: lartc at manchotnetworks.net (lartc) Date: Sat Aug 11 15:58:25 2007 Subject: [LARTC] disable TCP slowstart ? In-Reply-To: <200708111202.42986.tami@disconnected.de> References: <200708111202.42986.tami@disconnected.de> Message-ID: <1186840697.5908.3.camel@sumatra.radius.fr> hi paul On Sat, 2007-08-11 at 12:02 +0200, Paul Zirnik wrote: > Im trying to improve my internal apache proxy. It has to deliver a lot of > I know, this will only improve miliseconds per transfer, but it's worth a try. yes -- in a low latency lan, this probably won't be enough. - tune apache to your needs - and depending on your kernel, you can always try adding this to your /etc/sysctl.conf net.core.rmem_default=1048576 net.core.rmem_max=1048576 net.core.wmem_default=1048576 net.core.wmem_max=1048576 and then sysctl -p give it a try -- worked well for me ... cheers charles From vdautrem at ulb.ac.be Sun Aug 12 01:51:52 2007 From: vdautrem at ulb.ac.be (Vincent Dautremont) Date: Sun Aug 12 01:51:56 2007 Subject: [LARTC] tc and multiple ip on a device Message-ID: <21D1C2E8-F39B-45A0-8B0B-9752B8A6E6BA@ulb.ac.be> Hi, i'm sort of testing a configuration and things are not working sa i planned. i have the following network diagram: PC1 to 7 cnneced on the same ethernet hub. PC1 PC2 PC 3 PC4 PC5 PC6 on network 192.168.5.0 PC6 and PC7 on network 192.168.1.0 so PC6 work as a router. in addition, PC6 is connected to both network on the same device eth0. now on PC6, put a tbf on dev eth0 root with a rate 100ko/s send data from PC1 to PC7. is the data shaped by the tbf ? i'd say yes but it does not !!! can someone explain me how ? is that normal ? would that happen too if PC6 was connected to both network with different devices ? I did this test in virtualisation with these 7 machines on my macbookpro because i don't have the necessary hardware. i think it doesn't change the initial problem but i'm ot 100% sure. Thanks. Vincent From vdautrem at ulb.ac.be Sun Aug 12 02:16:11 2007 From: vdautrem at ulb.ac.be (Vincent Dautremont) Date: Sun Aug 12 02:16:14 2007 Subject: Fwd: [LARTC] tc and multiple ip on a device References: <21D1C2E8-F39B-45A0-8B0B-9752B8A6E6BA@ulb.ac.be> Message-ID: <2DEEE6D8-6E61-4A88-A448-2FF611F0DA91@ulb.ac.be> well, it's kind of odd the default gateway of my PC1 to 5 is configured as PC6. that way, i can only begin a file transfert from PC1 to PC7 if PC6 is up and running. now, i made a large upload from PC1 to PC7 with scp, turned off PC6 during the file transfert, and the scp file transfer continue while PC6 is halted. so it's finally not a tc problem, but is this normal ? i find it weird. should i revise my TCP/IP basics? it seams like PC6 was used only for the startup of the the TCP session of scp and that every packet dring file transfert is ging directly from PC1 to PC7 !!!! perhaps it's a virtualisation issue that i don't get afterall. Vincent. D?but du message r?exp?di? : > De : Vincent Dautremont > Date : 12 ao?t 2007 01:51:52 GMT+02:00 > ? : lartc@mailman.ds9a.nl > Objet : [LARTC] tc and multiple ip on a device > > Hi, > i'm sort of testing a configuration and things are not working sa i > planned. > > i have the following network diagram: PC1 to 7 cnneced on the same > ethernet hub. > > PC1 PC2 PC 3 PC4 PC5 PC6 on network 192.168.5.0 > PC6 and PC7 on network 192.168.1.0 > > so PC6 work as a router. in addition, PC6 is connected to both > network on the same device eth0. > > > now on PC6, put a tbf on dev eth0 root with a rate 100ko/s > > send data from PC1 to PC7. is the data shaped by the tbf ? i'd say > yes but it does not !!! > can someone explain me how ? is that normal ? would that happen too > if PC6 was connected to both network with different devices ? > > I did this test in virtualisation with these 7 machines on my > macbookpro because i don't have the necessary hardware. > i think it doesn't change the initial problem but i'm ot 100% sure. > > Thanks. > Vincent > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070812/00d2eade/attachment.htm From oliv at arsac.org Mon Aug 13 11:49:23 2007 From: oliv at arsac.org (olivier arsac) Date: Mon Aug 13 11:49:49 2007 Subject: [LARTC] How to check an inactive slave in a bond? In-Reply-To: <15750.1184878191@death> References: <469F6422.5060303@arsac.org> <15750.1184878191@death> Message-ID: <46C02923.1010904@arsac.org> Thank you for this very complete answer. - Assuming I really have to implement some sort of inactive slave-link check. - Assuming it is acceptable to remove the inactive slave from the bound for the duration of the check. Could you help me check my script? It works well for me but as I'm about to deploy it for production purpose I'd rather have a double check from you guys. (Note: I'm not reliable when it comes to (among other things) routing and network related topics) Thx. Olivier --------------------------------------------------------------------------------------- #!/bin/bash # Check all nics enslaved in a bond. # This is a way to check that all nics (including inactive ones) are working properly. # # Authors: # OA: Olivier Arsac # History: # 19/04/2007: OA scratch # 31/06/2007: OA better handling of "free" IPs used during test # TODO: # remove all TODOs from the script #set -x # try to be robust -> exit if a variable is not set (probably something went wrong) set -o nounset trap clean INT TERM PATH=/exploit/local/sbin:/exploit/local/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/exploit/unix/prod/bin com=`basename "$0"` fullcom="$*" usage() { echo "Usage: $com [-q] [-i ip] [-t target] [bond]" echo " Check all nics enslaved to a bond." echo " This is a way to check that all nics (including inactive ones) are working properly. You should check that periodicaly to avoid nasty surprises when your active nic stops working and you have to fallback to your (unchecked) slave one." echo " exit 0 if all is OK (or if no bond is present)." echo " -q: quiet (no verbose message for human operator)." echo " -i: ip to use during check of inactive slaves." echo " -t: target ip to ping during checks." echo "eg: $com" echo " check all nics from all bonds." echo "eg: $com -q bond0" echo " check silently all nics from bond0." } quiet=0 ip="" target="" while getopts "qi:t:" option do case $option in q) quiet=1;; i) ip=$OPTARG;; t) target=$OPTARG;; *) usage; exit 1;; esac done # drop what has been parsed by getopts shift `expr $OPTIND - 1` # get args if [ "$#" -ne 0 ] then bonds="$@" for bond in $bonds; do if [ ! -f /proc/net/bonding/$bond ]; then echoe "Error: $bond is not a valid bond." exit 6 fi done else bonds=`ls /proc/net/bonding/ 2>/dev/null` fi #match a MAC address re_mac="([a-zA-Z0-9][a-zA-Z0-9]:){5}[a-zA-Z0-9][a-zA-Z0-9]" re_ip="(([0-9]{3}[.]){3}[0-9]{3}" function echoe(){ echo "$@" >/dev/stderr } function echoq(){ if [ $quiet -eq 0 ] ; then echo "$@"; fi } # set a valid mac to a nic # (must get a mac from the slaves in bond but one that is not currently in use by the bond) get_free_mac_ret="" function get_free_mac(){ bond=$1 nic=$2 free_mac="" macs=`grep "Permanent HW addr:" /proc/net/bonding/$bond | egrep -o $re_mac| tr 'a-z' 'A-Z'` bond_mac=`ifconfig $bond | grep HWaddr | egrep -o $re_mac` for mac in $macs; do if [ "$mac" != "$bond_mac" ]; then free_mac=$mac fi done get_free_mac_ret=$free_mac } # ping a target using a specified nic to test for IP connectivity check_nic_ret=0 function check_nic(){ target=$1 if [ $# -ge 2 ]; then nic=$2 ping -n -c 3 -I $nic $target 1>/dev/null 2>/dev/null else ping -n -c 3 $target 1>/dev/null 2>/dev/null fi if [ $? -ne 0 ]; then ma="" if [ $# -ge 3 ]; then ma="(using $3 as ip)" fi echoq " [ERROR]" echo "$nic interface on $host is not working properly! $ma" > /dev/stderr check_nic_ret=1 else echoq " [OK]" check_nic_ret=0 fi } # arping a target using a specified nic to test for IP connectivity function exercise_nic_arp(){ target=$1 nic=$2 src_ip=$3 arping -c 3 -s "$src_ip" -I "$nic" "$target" 1>/dev/null 2>/dev/null } # reset a properly configured bond if someone interrupts the script clean_bond="" clean_nic="" function clean(){ echoq echoq "Script interrupted, restoring bond." if [ ! -z $clean_bond ] && [ ! -z $clean_nic ]; then ifenslave $clean_bond $clean_nic 2>/dev/null fi exit 2 } host=`hostname -s` table=200 if [ ! -d /proc/net/bonding ]; then echoe "Warning: Module bonding not loaded. Obviously no bond to check." #trying to check a bond on a server where none is present is probably not realy an error -> exit 0 with a warning message exit 0 fi if [ -z $target ]; then # no target given as parameter -> auto-detect # get the default gateway as a ping target target=`route -n | grep UG | awk '{print $2}'` if [ -z $target ]; then echoe "Error: Unable to auto-detect the target to use during test (use -t?)." exit 3 fi fi if [ -z "$ip" ]; then # no ip given as parameter -> auto-detect ip_b1=`host "${host}-bond-t1" | grep -o "$re_ip"` ip_b2=`host "${host}-bond-t2" | grep -o "$re_ip"` if [ -z "$ip_b1" ] && [ -z "$ip_b2" ]; then echoe "Error: Unable to auto-detect an ip to use during test (use -i?)." exit 4 fi fi error_nb=0 for bond in $bonds do bond=`basename $bond` echoq "checking bond $bond" active=`grep "Active Slave" /proc/net/bonding/$bond |cut -d':' -f2` echoq -n " active slave :$active" check_nic $target error_nb=$(($error_nb + $check_nic_ret)) slaves=`grep "Slave Interface:" /proc/net/bonding/$bond |cut -d':' -f2` slave_nb=0 for slave in $slaves do if [ $slave != $active ]; then # this nic is enslaved but not active. we want to check if it is ready to work (no cable or VPN trouble that will bite us only when the active slave will change) echoq -n " inactive slave : $slave" # search for a free mac in this bond (ie a real phy MAC that is not the one used by the bond) get_free_mac $bond $slave free_mac=$get_free_mac_ret # store the bond/nic we are going to un-enslave (to be able de re-enslave it in case of interrupt) clean_bond=$bond clean_nic=$slave if [ -z "$ip" ]; then ip="$ip_b1" # TODO: use a clever way to match slave and free ip fi # free this nic from the bond ifenslave -d $bond $slave # set it up with a "free" mac ifconfig $slave hw ether $free_mac # set it up with a temp IP ifconfig $slave $ip netmask 255.255.255.255 # it seems we need a small temporisation here or the rest may fail sleep 2 exercise_nic_arp $target $slave $ip check_nic $target $slave $ip error_nb=$(($error_nb + $check_nic_ret)) # clean this temporary ip/route ifconfig $slave down # re-enslave this nic to the bond ifenslave $bond $slave clean_bond=""; clean_nic="" slave_nb=$(($slave_nb + 1)) fi done echoq -n " bond : $bond" check_nic $target $bond error_nb=$(($error_nb + $check_nic_ret)) if [ $slave_nb -eq 0 ]; then echoe "Error: No inactive slave in $bond." exit 5 fi done if [ $error_nb -ne 0 ]; then exit $((10 + $error_nb)) fi exit 0 --------------------------------------------------------------------------------------- From lburatti at zacmi.it Mon Aug 13 16:00:25 2007 From: lburatti at zacmi.it (lburatti@zacmi.it) Date: Mon Aug 13 16:00:43 2007 Subject: [LARTC] luca buratti is out of office Message-ID: Sar? assente dall'ufficio a partire dal 13/08/2007 e non torner? fino al 27/08/2007. Risponder? al messaggio al mio ritorno. Trend Scan Mail: this message is virus free. From mailinglists at lucassen.org Mon Aug 13 22:59:58 2007 From: mailinglists at lucassen.org (richard lucassen) Date: Mon Aug 13 23:00:04 2007 Subject: [LARTC] bonding tap devices Message-ID: <20070813225958.26129e43.mailinglists@lucassen.org> Hello list, Please don't shoot me. I know I'm doing something with bonding that bonding wasn't made for. I just want to give it a try. I want a simple mechanism to have a failover on a 24Mbit line to a 2Mbit line in case the 24Mbit line goes down. Between A and B there are two lines: a 24Mbit and a 2Mbit. I use two OpenVPN tunnels with tap devices: +-- tap0 (A)--- OpenVPN tunnel over 24Mbit --- tap0 (B) ---+ | | A-+ +-B | | +-- tap1 (A)--- OpenVPN tunnel over 2Mbit ---- tap1 (B) ---+ I set up bond0 on both sides with tap0 as primary device using arpings: /sbin/modprobe -v bonding \ mode=1 \ primary=tap0 \ arp_interval=2000 \ arp_ip_target=10.1.0.1 (2 on the other end) bond0 (A) 10.1.0.1 bond0 (B) 10.2.0.1 When starting bond0 on both sides, everything is ok. When the 24Mbit line goes down, the 2Mbit line takes over within a few seconds as configured. But the line is not coming back to the primary 24Mbit line as I expected. There are no arpings sent into the 24Mbit tunnel. OTOH, the normal situation is immediately restored when I assign an ip address to the tap-devices and ping them directly (from 10.4.4.4 to 10.5.5.5, I get no reply, but that doesn't matter) +-- tap0 10.4.4.4 --- 24Mbit --- tap0 10.5.5.5 ---+ | | bond0-+ (10.1.0.1) (10.2.0.1) +-bond0 | | +-- tap1 10.6.6.6 --- 2Mbit ---- tap1 10.7.7.7 ---+ Anyone a hint (or a better idea)? R. -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ From Michael.Gilly at coface.at Mon Aug 13 23:06:53 2007 From: Michael.Gilly at coface.at (Michael.Gilly@coface.at) Date: Mon Aug 13 23:07:08 2007 Subject: [LARTC] Out of office auto reply Message-ID: I will be out of the office starting 06/08/2007 and will not return until 28/08/2007. I will answer your inquiry after my return to the office. In urgent cases, please do contact Christina.Fuksa@coface.at (T: +43/1/515 54 - 332) or Tan Van Nguyen (T: +43/1/515 54 -267). With kind regards, Michael Gilly. From lartc at ssi.bg Mon Aug 13 23:38:04 2007 From: lartc at ssi.bg (Anton Glinkov) Date: Mon Aug 13 23:37:59 2007 Subject: [LARTC] bonding tap devices In-Reply-To: <20070813225958.26129e43.mailinglists@lucassen.org> References: <20070813225958.26129e43.mailinglists@lucassen.org> Message-ID: <46C0CF3C.7030105@ssi.bg> Hello, Why don't you just use bridging with spanning tree? Will achieve exactly the thing you need. 1. Create br0 on both machines 2. Turn on spanning tree on br0 3. Choose one of them to be root 4. Assign tap0 and tap1 to br0 (tap0 having lower path cost) that's it. Or just check if there is some kind of backup option in openvpn - to start a tunnel to another host if the primary one fails... Can't help you here - I've never used openvpn. Bonding is used for combining interfaces with equal bandwidth and IMO will have unpredicted consequences in your scenario :-) Regards richard lucassen wrote: > Hello list, > > Please don't shoot me. I know I'm doing something with bonding that > bonding wasn't made for. I just want to give it a try. I want a simple > mechanism to have a failover on a 24Mbit line to a 2Mbit line in case > the 24Mbit line goes down. > > Between A and B there are two lines: a 24Mbit and a 2Mbit. I use two > OpenVPN tunnels with tap devices: > > +-- tap0 (A)--- OpenVPN tunnel over 24Mbit --- tap0 (B) ---+ > | | > A-+ +-B > | | > +-- tap1 (A)--- OpenVPN tunnel over 2Mbit ---- tap1 (B) ---+ > > I set up bond0 on both sides with tap0 as primary device using arpings: > > /sbin/modprobe -v bonding \ > mode=1 \ > primary=tap0 \ > arp_interval=2000 \ > arp_ip_target=10.1.0.1 (2 on the other end) > > bond0 (A) 10.1.0.1 > bond0 (B) 10.2.0.1 > > When starting bond0 on both sides, everything is ok. When the 24Mbit > line goes down, the 2Mbit line takes over within a few seconds as > configured. > > But the line is not coming back to the primary 24Mbit line as I > expected. There are no arpings sent into the 24Mbit tunnel. > > OTOH, the normal situation is immediately restored when I assign an ip > address to the tap-devices and ping them directly (from 10.4.4.4 to > 10.5.5.5, I get no reply, but that doesn't matter) > > > +-- tap0 10.4.4.4 --- 24Mbit --- tap0 10.5.5.5 ---+ > | | > bond0-+ (10.1.0.1) (10.2.0.1) +-bond0 > | | > +-- tap1 10.6.6.6 --- 2Mbit ---- tap1 10.7.7.7 ---+ > > Anyone a hint (or a better idea)? > > R. > -- Anton Glinkov network administrator From mailinglists at lucassen.org Tue Aug 14 00:07:35 2007 From: mailinglists at lucassen.org (richard lucassen) Date: Tue Aug 14 00:07:38 2007 Subject: [LARTC] Re: bonding tap devices In-Reply-To: <46C0CF3C.7030105@ssi.bg> References: <20070813225958.26129e43.mailinglists@lucassen.org> <46C0CF3C.7030105@ssi.bg> Message-ID: <20070814000735.5aff2a22.mailinglists@lucassen.org> On Tue, 14 Aug 2007 00:38:04 +0300 Anton Glinkov wrote: > Why don't you just use bridging with spanning tree? > Will achieve exactly the thing you need. > > 1. Create br0 on both machines > 2. Turn on spanning tree on br0 > 3. Choose one of them to be root > 4. Assign tap0 and tap1 to br0 (tap0 having lower path cost) > that's it. Hmm, "keep things as simple as possible, but not any simpler", Einstein once said :-) > Or just check if there is some kind of backup option in openvpn - to > start a tunnel to another host if the primary one fails... > Can't help you here - I've never used openvpn. There is an option in the 2.1 version which is called "multihome" and "float" (IIRC), but switching (almost) instantly from one server address to another is not workable as there is a hardcoded timeout (AFAIK). > Bonding is used for combining interfaces with equal bandwidth and IMO > will have unpredicted consequences in your scenario :-) Not as long as I use failover only ;-) But I'll try the stp option tomorrow. It's beer time here :-) -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ From rabbit at rabbit.us Tue Aug 14 00:30:53 2007 From: rabbit at rabbit.us (Peter Rabbitson) Date: Tue Aug 14 00:31:02 2007 Subject: [LARTC] Policy routing question Message-ID: <46C0DB9D.3000104@rabbit.us> Hi, I have a testing multihome setup, with the default gateway being one of the links and using policy routing to honor requests for a specific link. Everything works as expected when I request a specific IP to bind to. But if I request a specific interface things fall apart in ways that I can not explain: default gw (WORKS) ---------- rabbit@Thesaurus:~$ ping -c 1 yahoo.com PING yahoo.com (216.109.112.135) 56(84) bytes of data. 64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=1 ttl=48 time=142 ms request IP on same link as default gw (WORKS) ------------------------------------- rabbit@Thesaurus:~$ ping -I 192.168.9.102 -c 1 yahoo.com PING yahoo.com (66.94.234.13) from 192.168.9.102 : 56(84) bytes of data. 64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=1 ttl=47 time=176 ms request IP on secondary link (WORKS) ---------------------------- rabbit@Thesaurus:~$ ping -I 172.16.0.2 -c 1 yahoo.com PING yahoo.com (216.109.112.135) from 172.16.0.2 : 56(84) bytes of data. 64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=1 ttl=47 time=146 ms request interface of default gw link (WORKS) ------------------------------------ rabbit@Thesaurus:~$ ping -I eth1 -c 1 yahoo.com PING yahoo.com (66.94.234.13) from 192.168.9.102 eth1: 56(84) bytes of data. 64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=1 ttl=47 time=176 ms request secondary interface (FAILS) --------------------------- rabbit@Thesaurus:~$ ping -I eth0 -c 1 yahoo.com PING yahoo.com (216.109.112.135) from 192.168.9.102 eth0: 56(84) bytes of data. From 172.16.0.2 icmp_seq=1 Destination Host Unreachable I went over the setup again and again, but I can't figure out why the last ping attempt fails. Any pointers are welcome! Thanks Peter Here is the setup: ip addr ---------- 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:11:09:8d:4f:c1 brd ff:ff:ff:ff:ff:ff inet 172.16.0.2/24 brd 172.16.0.255 scope global eth0 3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:04:e2:80:b4:97 brd ff:ff:ff:ff:ff:ff inet 192.168.9.102/24 brd 192.168.9.255 scope global eth1 ip ro show table all ----------------------- default via 172.16.0.1 dev eth0 table 10 default via 192.168.9.1 dev eth1 table 20 default via 192.168.9.1 dev eth1 table default 172.16.0.0/24 dev eth0 proto kernel scope link src 172.16.0.2 192.168.9.0/24 dev eth1 proto kernel scope link src 192.168.9.102 broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 broadcast 192.168.9.0 dev eth1 table local proto kernel scope link src 192.168.9.102 broadcast 172.16.0.0 dev eth0 table local proto kernel scope link src 172.16.0.2 local 192.168.9.102 dev eth1 table local proto kernel scope host src 192.168.9.102 local 172.16.0.2 dev eth0 table local proto kernel scope host src 172.16.0.2 broadcast 192.168.9.255 dev eth1 table local proto kernel scope link src 192.168.9.102 broadcast 172.16.0.255 dev eth0 table local proto kernel scope link src 172.16.0.2 broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 ip ru ----- 0: from all lookup local 5: from all lookup main 10: from all iif eth0 lookup 10 11: from 172.16.0.0/24 lookup 10 20: from all iif eth1 lookup 20 21: from 192.168.9.0/24 lookup 20 100: from all lookup default no netfilter rules of any sort (all policies set at ACCEPT) From eriberto at eriberto.pro.br Tue Aug 14 04:11:24 2007 From: eriberto at eriberto.pro.br (Eriberto) Date: Tue Aug 14 04:11:32 2007 Subject: [LARTC] Trying understand the HTB Message-ID: <4784fdae0708131911j586560a3mc49bbda077736cd2@mail.gmail.com> Hi! I am studying HTB. I used the topology showed below: 10.1.0.1 ------ 10.1.14.25 (eth1) / 192.168.10.10 (eth0) ----- 192.168.10.11 (host 1) (router) (host 2) All machines use Debian Etch. Has a Iptables masquerading rule to eth1 in the router machine . The NICs are 100 Mb/s. The host 1 has Apache 2 and a file with 670 MB (CD ISO image) to download. When I used wget to get http://10.1.0.1/file.iso from 192.168.10.11. Without tc the speed showed by wget was 9.15 M/s (= 73.2 Mbits/s). The iptraf confirmed it. Then I used these lines to control the traffic: tc qdisc del dev eth1 root tc qdisc add dev eth1 root handle 1: htb default 40 tc class add dev eth1 root classid 1:0 htb rate 10mbit tc class add dev eth1 parent 1:0 classid 1:40 htb rate 500kbit After tc rules, when I got file.iso, the speed showed by wget was 2.77 M/s (= 22.16 Mbits/s). But I used 500kbit (= 62.5 KB/s) in default class. My question is: why tc default class was configured with 500 Kb/s and the real speed (confirmed by wget and Iptraf) was 22.16 Mb/s? Thanks in advance. Eriberto - Brazil From mailinglists at lucassen.org Tue Aug 14 15:48:38 2007 From: mailinglists at lucassen.org (richard lucassen) Date: Tue Aug 14 15:48:56 2007 Subject: [LARTC] Re: bonding tap devices In-Reply-To: <46C0CF3C.7030105@ssi.bg> References: <20070813225958.26129e43.mailinglists@lucassen.org> <46C0CF3C.7030105@ssi.bg> Message-ID: <20070814154838.339af64d.mailinglists@lucassen.org> On Tue, 14 Aug 2007 00:38:04 +0300 Anton Glinkov wrote: > Why don't you just use bridging with spanning tree? > Will achieve exactly the thing you need. > > 1. Create br0 on both machines > 2. Turn on spanning tree on br0 > 3. Choose one of them to be root > 4. Assign tap0 and tap1 to br0 (tap0 having lower path cost) > that's it. Works like a charm :) -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ From Jon.J.Flechsenhaar at boeing.com Tue Aug 14 19:06:10 2007 From: Jon.J.Flechsenhaar at boeing.com (Flechsenhaar, Jon J) Date: Tue Aug 14 19:06:41 2007 Subject: [LARTC] Trying understand the HTB In-Reply-To: <4784fdae0708131911j586560a3mc49bbda077736cd2@mail.gmail.com> References: <4784fdae0708131911j586560a3mc49bbda077736cd2@mail.gmail.com> Message-ID: <0E24ED2A7F9AA349A8633E6A56A64BE0027A8425@XCH-SW-2V1.sw.nos.boeing.com> The commands work but the structure doesn't seem right to me. Try this ... tc qdisc del dev eth1 root tc qdisc add dev eth1 root handle 1: htb default 40 tc class add dev eth1 parent 1: classid 1:1 htb rate 10mbit tc class add dev eth1 parent 1:1 classid 1:40 htb rate 500kbit Jon Flechsenhaar Boeing WNW Team Network Services (714)-762-1231 202-E7 -----Original Message----- From: Eriberto [mailto:eriberto@eriberto.pro.br] Sent: Monday, August 13, 2007 7:11 PM To: lartc@mailman.ds9a.nl Subject: [LARTC] Trying understand the HTB Hi! I am studying HTB. I used the topology showed below: 10.1.0.1 ------ 10.1.14.25 (eth1) / 192.168.10.10 (eth0) ----- 192.168.10.11 (host 1) (router) (host 2) All machines use Debian Etch. Has a Iptables masquerading rule to eth1 in the router machine . The NICs are 100 Mb/s. The host 1 has Apache 2 and a file with 670 MB (CD ISO image) to download. When I used wget to get http://10.1.0.1/file.iso from 192.168.10.11. Without tc the speed showed by wget was 9.15 M/s (= 73.2 Mbits/s). The iptraf confirmed it. Then I used these lines to control the traffic: tc qdisc del dev eth1 root tc qdisc add dev eth1 root handle 1: htb default 40 tc class add dev eth1 root classid 1:0 htb rate 10mbit tc class add dev eth1 parent 1:0 classid 1:40 htb rate 500kbit After tc rules, when I got file.iso, the speed showed by wget was 2.77 M/s (= 22.16 Mbits/s). But I used 500kbit (= 62.5 KB/s) in default class. My question is: why tc default class was configured with 500 Kb/s and the real speed (confirmed by wget and Iptraf) was 22.16 Mb/s? Thanks in advance. Eriberto - Brazil _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From eriberto at eriberto.pro.br Tue Aug 14 23:27:05 2007 From: eriberto at eriberto.pro.br (Eriberto) Date: Tue Aug 14 23:27:13 2007 Subject: [LARTC] Trying understand the HTB In-Reply-To: <0E24ED2A7F9AA349A8633E6A56A64BE0027A8425@XCH-SW-2V1.sw.nos.boeing.com> References: <4784fdae0708131911j586560a3mc49bbda077736cd2@mail.gmail.com> <0E24ED2A7F9AA349A8633E6A56A64BE0027A8425@XCH-SW-2V1.sw.nos.boeing.com> Message-ID: <4784fdae0708141427j3128014byca647d90bb66f7b7@mail.gmail.com> Hi! Thanks for your response. I used your suggestion but the traffic was 2.71 MB/s (21.680 Kb/s). I need 500 Kb/s. What is the error??? Thanks in advance. Regards, Eriberto - Brazil 2007/8/14, Flechsenhaar, Jon J : > The commands work but the structure doesn't seem right to me. > > Try this ... > tc qdisc del dev eth1 root > tc qdisc add dev eth1 root handle 1: htb default 40 > tc class add dev eth1 parent 1: classid 1:1 htb rate 10mbit > tc class add dev eth1 parent 1:1 classid 1:40 htb rate 500kbit From bschenker at restechservices.net Wed Aug 15 14:11:50 2007 From: bschenker at restechservices.net (Bryan Schenker) Date: Wed Aug 15 14:12:17 2007 Subject: [LARTC] Trying understand the HTB In-Reply-To: <20070815100006.25EC84B94F@outpost.ds9a.nl> References: <20070815100006.25EC84B94F@outpost.ds9a.nl> Message-ID: To limit bandwidth to your 192.168.10.11 host, you need to be rate limiting on the eth0 interface not the eth1 interface if I understand how your router is plugged in. tc limits bandwidth leaving an interface. So right now as the rules are written, you are limiting to 500kbit the bandwidth you can UPLOAD to 10.1.0.1. > > ------------------------------ > > Message: 2 > Date: Tue, 14 Aug 2007 10:06:10 -0700 > From: "Flechsenhaar, Jon J" > Subject: RE: [LARTC] Trying understand the HTB > To: "Eriberto" , > Message-ID: > <0E24ED2A7F9AA349A8633E6A56A64BE0027A8425@XCH- > SW-2V1.sw.nos.boeing.com> > > Content-Type: text/plain; charset="us-ascii" > > The commands work but the structure doesn't seem right to me. > > > Try this ... > tc qdisc del dev eth1 root > tc qdisc add dev eth1 root handle 1: htb default 40 > tc class add dev eth1 parent 1: classid 1:1 htb rate 10mbit > tc class add dev eth1 parent 1:1 classid 1:40 htb rate 500kbit > > > Jon Flechsenhaar > Boeing WNW Team > Network Services > (714)-762-1231 > 202-E7 > > -----Original Message----- > From: Eriberto [mailto:eriberto@eriberto.pro.br] > Sent: Monday, August 13, 2007 7:11 PM > To: lartc@mailman.ds9a.nl > Subject: [LARTC] Trying understand the HTB > > Hi! > > I am studying HTB. I used the topology showed below: > > 10.1.0.1 ------ 10.1.14.25 (eth1) / 192.168.10.10 (eth0) ----- > 192.168.10.11 > (host 1) (router) > (host 2) > > All machines use Debian Etch. Has a Iptables masquerading rule to eth1 > in the router machine . The NICs are 100 Mb/s. The host 1 has Apache 2 > and a file with 670 MB (CD ISO image) to download. > > When I used wget to get http://10.1.0.1/file.iso from 192.168.10.11. > Without tc the speed showed by wget was 9.15 M/s (= 73.2 Mbits/s). The > iptraf confirmed it. Then I used these lines to control the traffic: > > tc qdisc del dev eth1 root > tc qdisc add dev eth1 root handle 1: htb default 40 tc class add dev > eth1 root classid 1:0 htb rate 10mbit tc class add dev eth1 parent 1:0 > classid 1:40 htb rate 500kbit > > After tc rules, when I got file.iso, the speed showed by wget was 2.77 > M/s (= 22.16 Mbits/s). But I used 500kbit (= 62.5 KB/s) in default > class. > > My question is: why tc default class was configured with 500 Kb/s and > the real speed (confirmed by wget and Iptraf) was 22.16 Mb/s? > > Thanks in advance. > > Eriberto - Brazil > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > ------------------------------ > > Message: 3 > Date: Tue, 14 Aug 2007 18:27:05 -0300 > From: Eriberto > Subject: Re: [LARTC] Trying understand the HTB > To: "Flechsenhaar, Jon J" > Cc: lartc@mailman.ds9a.nl > Message-ID: > <4784fdae0708141427j3128014byca647d90bb66f7b7@mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Hi! Thanks for your response. I used your suggestion but the traffic > was 2.71 MB/s (21.680 Kb/s). I need 500 Kb/s. What is the error??? > > Thanks in advance. > > Regards, > > Eriberto - Brazil > > 2007/8/14, Flechsenhaar, Jon J : >> The commands work but the structure doesn't seem right to me. >> >> Try this ... >> tc qdisc del dev eth1 root >> tc qdisc add dev eth1 root handle 1: htb default 40 >> tc class add dev eth1 parent 1: classid 1:1 htb rate 10mbit >> tc class add dev eth1 parent 1:1 classid 1:40 htb rate 500kbit > > > ------------------------------ > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > End of LARTC Digest, Vol 30, Issue 14 > ************************************* From mingching.tiew at redtone.com Thu Aug 16 11:20:46 2007 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Thu Aug 16 11:21:13 2007 Subject: [LARTC] Unable to match/classify non-icmp traffic with TOS bigger than 0x10 Message-ID: <010101c7dfe6$ba56c7b0$0100a8c0@MingChing> This problem is driving nuts, so I am seeking help here. Your help will be deeply appreciated. I have made myself a Linux bridge with eth1 and eth0 to form br0. Then I run a script to configure tc with htb on it. But I can never match non-icmp traffic ( such as tcp and udp ) with TOS or DSCP values such as 0x68. The full story as follows :- 1. On the source testing machine, I do this to set the tos and dscp settings :- (A) iptables -t mangle -A OUTPUT -j TOS --set-tos 0x10 ( to make ssh tos value 0x10 ) or (B) iptables -t mangle -A OUTPUT -j DSCP --set-dscp 0x1a ( to make ssh DSCP value 0x68 ) 2. Then on the bridge machine, I have tc filter as follows :- (A) tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \ match ip tos 0x10 0xfc flowid 1:10 tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \ match ip tos 0x10 0xfc flowid 1:10 Then I do a ssh login to side B of the bridge from side A. It shows that the traffic has been classified correctly. (B) tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \ match ip tos 0x68 0xfc flowid 1:10 tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \ match ip tos 0x68 0xfc flowid 1:10 Then I do a ssh login to side B of the bridge from side A, the traffic has not been classified correctly. The class 1:10 picks up zero traffic. (C) However if I ping side B of the bridge from side A, it shows that icmp could be classified into class 1:10. Why it is just not possible to classify anything other than icmp ? Regards. -------------------------------------------------------- Important Warning! *************************** This electronic communication (including any attached files) may contain confidential and/or legally privileged information and is only intended for the use of the person to whom it is addressed. If you are not the intended recipient, you do not have permission to read, use, disseminate, distribute, copy or retain any part of this communication or its attachments in any form. If this e-mail was sent to you by mistake, please take the time to notify the sender so that they can identify the problem and avoid any more mistakes in sending e-mail to you. The unauthorised use of information contained in this communication or its attachments may result in legal action against any person who uses it. From mitnlag at yandex.ru Thu Aug 16 13:48:11 2007 From: mitnlag at yandex.ru (=?windows-1251?B?wujy4Ovo6SDW9e7i8OXh7uI=?=) Date: Thu Aug 16 13:48:34 2007 Subject: [LARTC] two providers. Message-ID: <136729277.20070816154811@yandex.ru> Hello, people. I read iptables tutorial and lartc, but i'm still confused with one trouble. May be this question was discussed already, so forward me solution, if is. So, there's a trouble. I have debian etch linux. 2.6.18-4 kernel. On this computer i have three interfaces: eth0 - my lan, eth1, eth2 - providers. By default all internet traffic routed through eth2. But i NEED to route mail and icq (tcp110, tcp25, tcp5190) through eth1. How can i do that? Regards, Vitaliy Tskhovrebov. From david_list at boreham.org Thu Aug 16 15:29:09 2007 From: david_list at boreham.org (David Boreham) Date: Thu Aug 16 15:29:16 2007 Subject: [LARTC] How to see the sfq hash table ? Message-ID: <46C45125.4030602@boreham.org> I'm grappling with a problem that looks like sfq is not working (packets don't get fairly queued, they appear to be always sent FIFO). My configuration appears to be correct. The machine is running quite an old kernel and if I could convince myself that the sfq code it has is just broken, I'd spend the time to upgrade it. Is there any way to inspect or dump the sfq hash table on a running machine ? Thanks. From goblin at pentex.pl Thu Aug 16 17:25:39 2007 From: goblin at pentex.pl (goblin@pentex.pl) Date: Thu Aug 16 17:45:08 2007 Subject: [LARTC] two providers. In-Reply-To: <136729277.20070816154811@yandex.ru> References: <136729277.20070816154811@yandex.ru> Message-ID: <8cd844dfd487463b1d7e5a8238b15c35@localhost> > So, there's a trouble. > > I have debian etch linux. 2.6.18-4 kernel. > > On this computer i have three interfaces: eth0 - my lan, eth1, eth2 - > providers. > > By default all internet traffic routed through eth2. But i NEED to > route mail and icq (tcp110, tcp25, tcp5190) through eth1. How can i do > that? A while ago ive used a similar configuration, what ive done was: - create additionall routing table add all regular entries to it with changed default gateway for the second provider like: ip route add xxx.xxx.xxx.xxx via yyy.yyy.yyy.yyy table 2 ... ip route add default via IP_OF_2ND_GATEWAY table 2 - mark desired traffic with iptables iptables -I FORWARD -s LAN_NET/MASK -p tcp --dport XXX -j MARK --set-mark 2 - use ip rules to direct marked packets via alternative routing table ip rule add fwmark 2 table 2 - and maby add additionall rule to make all packages originating at eth1 ip to go via table 2 ip rule add from ETH1_IP table 2 should be more or less something like this, though i dont recall if syntax was exactly like ive wrote above. big dissadvantage of this solution is utilisation of marks, that might be used for another purpose. -- Radek 'Goblin' Pieczonka From maillist1 at argontech.net Thu Aug 16 18:19:17 2007 From: maillist1 at argontech.net (Marco C. Coelho) Date: Thu Aug 16 18:11:09 2007 Subject: [LARTC] HTB tree is too deep Message-ID: <46C47905.1050201@argontech.net> I've got a linux (2.6.18-8.1.6.el5.centos.plus) router doing pppoe termination and HTB rate limiting. the number of connections has grown quite a bit in the last few months, and I'm now getting a: HTB tree is too deep message on the monitor. where is the setting for max depth? From salim.si at cipherium.com.tw Fri Aug 17 04:47:26 2007 From: salim.si at cipherium.com.tw (Salim S I) Date: Fri Aug 17 04:47:46 2007 Subject: [LARTC] Unable to match/classify non-icmp traffic with TOS biggerthan 0x10 In-Reply-To: <010101c7dfe6$ba56c7b0$0100a8c0@MingChing> Message-ID: <000001c7e078$f5a30f30$b9021d0a@SalimSi> Is it because the TOS and DSCP values are different? -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Ming-Ching Tiew Sent: Thursday, August 16, 2007 5:21 PM To: lartc@mailman.ds9a.nl Subject: [LARTC] Unable to match/classify non-icmp traffic with TOS biggerthan 0x10 This problem is driving nuts, so I am seeking help here. Your help will be deeply appreciated. I have made myself a Linux bridge with eth1 and eth0 to form br0. Then I run a script to configure tc with htb on it. But I can never match non-icmp traffic ( such as tcp and udp ) with TOS or DSCP values such as 0x68. The full story as follows :- 1. On the source testing machine, I do this to set the tos and dscp settings :- (A) iptables -t mangle -A OUTPUT -j TOS --set-tos 0x10 ( to make ssh tos value 0x10 ) or (B) iptables -t mangle -A OUTPUT -j DSCP --set-dscp 0x1a ( to make ssh DSCP value 0x68 ) 2. Then on the bridge machine, I have tc filter as follows :- (A) tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \ match ip tos 0x10 0xfc flowid 1:10 tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \ match ip tos 0x10 0xfc flowid 1:10 Then I do a ssh login to side B of the bridge from side A. It shows that the traffic has been classified correctly. (B) tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \ match ip tos 0x68 0xfc flowid 1:10 tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \ match ip tos 0x68 0xfc flowid 1:10 Then I do a ssh login to side B of the bridge from side A, the traffic has not been classified correctly. The class 1:10 picks up zero traffic. (C) However if I ping side B of the bridge from side A, it shows that icmp could be classified into class 1:10. Why it is just not possible to classify anything other than icmp ? Regards. -------------------------------------------------------- Important Warning! *************************** This electronic communication (including any attached files) may contain confidential and/or legally privileged information and is only intended for the use of the person to whom it is addressed. If you are not the intended recipient, you do not have permission to read, use, disseminate, distribute, copy or retain any part of this communication or its attachments in any form. If this e-mail was sent to you by mistake, please take the time to notify the sender so that they can identify the problem and avoid any more mistakes in sending e-mail to you. The unauthorised use of information contained in this communication or its attachments may result in legal action against any person who uses it. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From salim.si at cipherium.com.tw Fri Aug 17 04:58:30 2007 From: salim.si at cipherium.com.tw (Salim S I) Date: Fri Aug 17 04:58:50 2007 Subject: [LARTC] Unable to match/classify non-icmp traffic with TOSbiggerthan 0x10 In-Reply-To: <000001c7e078$f5a30f30$b9021d0a@SalimSi> Message-ID: <000101c7e07a$815c72e0$b9021d0a@SalimSi> Sorry, I hadn't seen 0x68 match. -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Salim S I Sent: Friday, August 17, 2007 10:47 AM To: 'Ming-Ching Tiew'; lartc@mailman.ds9a.nl Subject: RE: [LARTC] Unable to match/classify non-icmp traffic with TOSbiggerthan 0x10 Is it because the TOS and DSCP values are different? -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Ming-Ching Tiew Sent: Thursday, August 16, 2007 5:21 PM To: lartc@mailman.ds9a.nl Subject: [LARTC] Unable to match/classify non-icmp traffic with TOS biggerthan 0x10 This problem is driving nuts, so I am seeking help here. Your help will be deeply appreciated. I have made myself a Linux bridge with eth1 and eth0 to form br0. Then I run a script to configure tc with htb on it. But I can never match non-icmp traffic ( such as tcp and udp ) with TOS or DSCP values such as 0x68. The full story as follows :- 1. On the source testing machine, I do this to set the tos and dscp settings :- (A) iptables -t mangle -A OUTPUT -j TOS --set-tos 0x10 ( to make ssh tos value 0x10 ) or (B) iptables -t mangle -A OUTPUT -j DSCP --set-dscp 0x1a ( to make ssh DSCP value 0x68 ) 2. Then on the bridge machine, I have tc filter as follows :- (A) tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \ match ip tos 0x10 0xfc flowid 1:10 tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \ match ip tos 0x10 0xfc flowid 1:10 Then I do a ssh login to side B of the bridge from side A. It shows that the traffic has been classified correctly. (B) tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \ match ip tos 0x68 0xfc flowid 1:10 tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \ match ip tos 0x68 0xfc flowid 1:10 Then I do a ssh login to side B of the bridge from side A, the traffic has not been classified correctly. The class 1:10 picks up zero traffic. (C) However if I ping side B of the bridge from side A, it shows that icmp could be classified into class 1:10. Why it is just not possible to classify anything other than icmp ? Regards. -------------------------------------------------------- Important Warning! *************************** This electronic communication (including any attached files) may contain confidential and/or legally privileged information and is only intended for the use of the person to whom it is addressed. If you are not the intended recipient, you do not have permission to read, use, disseminate, distribute, copy or retain any part of this communication or its attachments in any form. If this e-mail was sent to you by mistake, please take the time to notify the sender so that they can identify the problem and avoid any more mistakes in sending e-mail to you. The unauthorised use of information contained in this communication or its attachments may result in legal action against any person who uses it. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From salim.si at cipherium.com.tw Fri Aug 17 05:03:04 2007 From: salim.si at cipherium.com.tw (Salim S I) Date: Fri Aug 17 05:03:23 2007 Subject: [LARTC] Unable to match/classify non-icmp traffic with TOSbiggerthan 0x10 In-Reply-To: <000101c7e07a$815c72e0$b9021d0a@SalimSi> Message-ID: <000201c7e07b$2467cc50$b9021d0a@SalimSi> Did you try to capture the packets with tcpdump or something and check the TOS field? Was it correct? I had a similar set up before, though not bridge, and it worked. -----Original Message----- From: Salim S I [mailto:salim.si@cipherium.com.tw] Sent: Friday, August 17, 2007 10:59 AM To: 'Salim S I'; 'Ming-Ching Tiew'; lartc@mailman.ds9a.nl Subject: RE: [LARTC] Unable to match/classify non-icmp traffic with TOSbiggerthan 0x10 Sorry, I hadn't seen 0x68 match. -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Salim S I Sent: Friday, August 17, 2007 10:47 AM To: 'Ming-Ching Tiew'; lartc@mailman.ds9a.nl Subject: RE: [LARTC] Unable to match/classify non-icmp traffic with TOSbiggerthan 0x10 Is it because the TOS and DSCP values are different? -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Ming-Ching Tiew Sent: Thursday, August 16, 2007 5:21 PM To: lartc@mailman.ds9a.nl Subject: [LARTC] Unable to match/classify non-icmp traffic with TOS biggerthan 0x10 This problem is driving nuts, so I am seeking help here. Your help will be deeply appreciated. I have made myself a Linux bridge with eth1 and eth0 to form br0. Then I run a script to configure tc with htb on it. But I can never match non-icmp traffic ( such as tcp and udp ) with TOS or DSCP values such as 0x68. The full story as follows :- 1. On the source testing machine, I do this to set the tos and dscp settings :- (A) iptables -t mangle -A OUTPUT -j TOS --set-tos 0x10 ( to make ssh tos value 0x10 ) or (B) iptables -t mangle -A OUTPUT -j DSCP --set-dscp 0x1a ( to make ssh DSCP value 0x68 ) 2. Then on the bridge machine, I have tc filter as follows :- (A) tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \ match ip tos 0x10 0xfc flowid 1:10 tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \ match ip tos 0x10 0xfc flowid 1:10 Then I do a ssh login to side B of the bridge from side A. It shows that the traffic has been classified correctly. (B) tc filter add dev eth0 parent 1: protocol ip prio 10 u32 \ match ip tos 0x68 0xfc flowid 1:10 tc filter add dev eth1 parent 1: protocol ip prio 10 u32 \ match ip tos 0x68 0xfc flowid 1:10 Then I do a ssh login to side B of the bridge from side A, the traffic has not been classified correctly. The class 1:10 picks up zero traffic. (C) However if I ping side B of the bridge from side A, it shows that icmp could be classified into class 1:10. Why it is just not possible to classify anything other than icmp ? Regards. -------------------------------------------------------- Important Warning! *************************** This electronic communication (including any attached files) may contain confidential and/or legally privileged information and is only intended for the use of the person to whom it is addressed. If you are not the intended recipient, you do not have permission to read, use, disseminate, distribute, copy or retain any part of this communication or its attachments in any form. If this e-mail was sent to you by mistake, please take the time to notify the sender so that they can identify the problem and avoid any more mistakes in sending e-mail to you. The unauthorised use of information contained in this communication or its attachments may result in legal action against any person who uses it. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From indunil75 at gmail.com Fri Aug 17 06:45:21 2007 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Fri Aug 17 06:45:38 2007 Subject: [LARTC] two providers. In-Reply-To: <136729277.20070816154811@yandex.ru> References: <136729277.20070816154811@yandex.ru> Message-ID: <7ed6b0aa0708162145s4e96cc6cm4216177c119bf0be@mail.gmail.com> On 8/16/07, ??????? ????????? wrote: > > Hello, people. > > I read iptables tutorial and lartc, but i'm still confused with one > trouble. > > May be this question was discussed already, so forward me solution, if > is. > > So, there's a trouble. > > I have debian etch linux. 2.6.18-4 kernel. > > On this computer i have three interfaces: eth0 - my lan, eth1, eth2 - > providers. > > By default all internet traffic routed through eth2. But i NEED to > route mail and icq (tcp110, tcp25, tcp5190) through eth1. How can i do > that? That is policy routing. Is it a SNATed firewall? I use below script for a SNATed firewall where I have two links such as a Leasedline and a ADSL. I route web traffic (both HTTP and HTTPS -- port tcp 80 and tcp 443) via ADSL link. YOU want to route mail and icq (tcp110, tcp25, tcp5190) through eth1. pls change your ports accordinly. Pls replace gatewayipofprovider1, gatewayipofprovider2, ipofETH1 and ipofETH2 with yours. by default, My firewall also routes trafic via eth2 (i.e- gatewayipofprovider1--- Leasedline or realiplink ) I route http and https traffic via eth1 (i.e- gatewayipofprovider2 --ADSL or adsllink ) . in your case, it is the SAME. below is the Script. echo 210 realiplink >> /etc/iproute2/rt_tables echo 211 adsllink >> /etc/iproute2/rt_tables ip route add gatewayipofprovider1 dev eth2 table realiplink ip route add default via gatewayipofprovider1 dev eth2 table realiplink ip route add gatewayipofprovider2 dev eth1 table adsllink ip route add default via gatewayipofprovider2 dev eth1 table adsllink iptables -t mangle -A OUTPUT -p tcp -m multiport --dports 80,443 -j MARK --set-mark 1 ip rule add fwmark 1 pri 100 table adsllink iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source ipofETH1 echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter ip rule add from ipofETH2 pri 200 table realiplink ip rule add from ipofETH1 pri 300 table adsllink Then, issue below command to see routing tables ip rule list PLS NOTE: In the above script, I have marked OUTPUT trafic as 1. below is the command I have given iptables -t mangle -A OUTPUT -p tcp -m multiport --dports 80,443 -j MARK --set-mark 1 the reason for that is the firewall is itself is a SQUID proxy server. But not a TRANSPARENT PROXY. Just acts as a normal proxy. (i.e- I have configured client browsers with ip address and port 3128.) Try with the above script and see if it works. UNLESS it works, pls replace the above command with this. iptables -t mangle -A PREROUTING -p tcp -m multiport --dports 80,443 -j MARK --set-mark 1 or iptables -t mangle -A PREROUTING -i eth0 -p tcp -m multiport --dports 80,443 -j MARK --set-mark 1 try this nad be HAPPY _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070817/5d8f410a/attachment.html From pranavadesai at gmail.com Sat Aug 18 00:52:38 2007 From: pranavadesai at gmail.com (Pranav Desai) Date: Sat Aug 18 00:53:02 2007 Subject: [LARTC] Policy base forwarding issues Message-ID: Hello All, I am trying to setup a linux box as a forwarding router based of src IP. The problem is that it does forward the pkts to the intended server specified in the ip rule, but it also forwards it to the original dst (dst specified in the pkt). Here is the setup: [10.1.0.166] [192.168.1.225] | | | [A] [B] | |-------[10.1.0.63/172.16.1.63] ----------- [ 172.16.1.64/192.168.1.65] ---------| | linux box only has linux-router in question | | net.ipv4.ip_forward=1 | | | [10.1.0.167] [192.168.1.100] A - is just a linux box doing forwarding for the 2 networks 10.1.x.x - > 172.16.1.x. B - is the linux router which I want to setup as forwarding. The pkts come from 10.1.0.166 and .167 -> to 192.168.1.100 I want to setup rules on [B] to forward all pkts with src addr. 10.1.0.166to 192.168.1.225. And, all pkts from 10.1.0.167 to 192.168.1.100 should still go to 192.168.1.100. Here are the rules I setup. [root@forwarder ~]# ip rule sh 0: from all lookup local 32765: from 10.1.0.166 lookup 225 32766: from all lookup main 32767: from all lookup default [root@forwarder ~]# ip ro sh tab 225 192.168.1.0/24 via 192.168.1.225 dev eth1 The pkts still go to both .225 and .100. I checked on another machine connected to the same switch as 192.168.1.100 and 192.168.1.225 and its not receiving the pkts. So, it doesnt seem like the switch is screwing up and broadcasting the packets everywhere. I would appreciate any kind of help or pointers. Thanks for your time. -- pranav ------------------------------ http://pd.dnsalias.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070817/290c781a/attachment.htm From forums at hyper-plaza.com Sat Aug 18 06:50:20 2007 From: forums at hyper-plaza.com (Mikhail) Date: Sat Aug 18 06:51:22 2007 Subject: [LARTC] two providers. In-Reply-To: <20070817044556.25A1C4BB04@outpost.ds9a.nl> Message-ID: <20070818045113.A32CD3F89@outpost.ds9a.nl> One solution would be to mark outbound packets using iptables and then route them based on the marks. > Hello, people. > > I read iptables tutorial and lartc, but i'm still confused with one > trouble. > > May be this question was discussed already, so forward me solution, if > is. > > So, there's a trouble. > > I have debian etch linux. 2.6.18-4 kernel. > > On this computer i have three interfaces: eth0 - my lan, eth1, eth2 - > providers. > > By default all internet traffic routed through eth2. But i NEED to > route mail and icq (tcp110, tcp25, tcp5190) through eth1. How can i do > that? > > Regards, Vitaliy Tskhovrebov. > From mitnlag at yandex.ru Sat Aug 18 08:23:04 2007 From: mitnlag at yandex.ru (=?windows-1251?B?wujy4Ovo6SDW9e7i8OXh7uI=?=) Date: Sat Aug 18 08:23:26 2007 Subject: [LARTC] two providers. In-Reply-To: <20070818045113.A32CD3F89@outpost.ds9a.nl> References: <20070817044556.25A1C4BB04@outpost.ds9a.nl> <20070818045113.A32CD3F89@outpost.ds9a.nl> Message-ID: <78570238.20070818102304@yandex.ru> Thanks all who help me, i'll try solutions soon, and i'll write to the list. -- ? ?????????, ??????? mailto:mitnlag@yandex.ru From borg at uu3.net Sun Aug 19 12:01:37 2007 From: borg at uu3.net (Unknown) Date: Sun Aug 19 12:02:06 2007 Subject: [LARTC] HTB qdisc within HTB root qdisc Message-ID: Hello... Im trying to setup HTB to allow me to shape traffic from two upstreams that meets on single lan0 interface. I prefer to use HTB qdisc within HTB root qdisc for cleaner rules design. Seems that it doesnt work at all. tc -s class show doesnt show any traffic on other classes attached to HTB qdisc. Linux 2.6.20.7 iproute-2.6.20-070313 Weird thing is that tc -s class show that 1: and 2: are both root class, where it is not true since they both have parent qdisc 1: or 2: and those qdisc arent root, they have parent class 10:11 or 10:12 (what tc -s qdisc show says). Is HTB qdisc within HTB qdisc is valid on newer kernels? If yes, what is wrong in this setup? This setup works fine when I use one HTB qdisc and many classes within classes. How it looks like: ------------------------------------------------------------------------------ ### lan0 ### tcq="tc qdisc add dev lan0" tcc="tc class add dev lan0" $tcq root handle 10: htb $tcc parent 10: classid 10:1 htb rate 100000Kbit # LAN $tcc parent 10:1 classid 10:10 htb rate 80000Kbit ceil 100000Kbit prio 7 $tcq parent 10:10 sfq limit 50 perturb 1 # from wan0 $tcc parent 10:1 classid 10:11 htb rate 2048Kbit prio 3 # from wan1 $tcc parent 10:1 classid 10:12 htb rate 10000Kbit prio 3 ### lan0 - from wan0 ### tcq="tc qdisc add dev lan0" tcc="tc class add dev lan0" $tcq parent 10:11 handle 1: htb $tcc parent 1: classid 1:1 htb rate 2048Kbit # SYN/minimal payload $tcc parent 1:1 classid 1:10 htb rate 128Kbit ceil 256Kbit prio 0 $tcq parent 1:10 pfifo limit 50 # DMZ $tcc parent 1:1 classid 1:14 htb rate 256Kbit ceil 1024Kbit prio 4 # telnet/SSH/IRC $tcc parent 1:14 classid 1:41 htb rate 64Kbit ceil 512Kbit prio 2 $tcq parent 1:41 pfifo limit 30 # UDP $tcc parent 1:14 classid 1:42 htb rate 64Kbit ceil 512Kbit prio 3 $tcq parent 1:42 pfifo limit 30 # generic NORMAL $tcc parent 1:14 classid 1:43 htb rate 64Kbit ceil 1024Kbit prio 5 $tcq parent 1:43 sfq limit 50 perturb 1 # generic BULK $tcc parent 1:14 classid 1:44 htb rate 64Kbit ceil 512Kbit prio 7 $tcq parent 1:44 sfq limit 50 perturb 1 ### lan0 - from wan1 ### tcq="tc qdisc add dev lan0" tcc="tc class add dev lan0" $tcq parent 10:12 handle 2: htb $tcc parent 2: classid 2:1 htb rate 10000Kbit # SYN/minimal payload $tcc parent 2:1 classid 2:10 htb rate 200Kbit ceil 500Kbit prio 0 $tcq parent 2:10 pfifo limit 50 # gw traffic $tcc parent 2:1 classid 2:11 htb rate 200Kbit ceil 500Kbit prio 2 $tcq parent 2:11 pfifo limit 20 # DMZ $tcc parent 2:1 classid 2:13 htb rate 3000Kbit ceil 5000Kbit prio 4 # telnet/SSH/IRC $tcc parent 2:13 classid 2:31 htb rate 300Kbit ceil 500Kbit prio 2 $tcq parent 2:31 pfifo limit 30 # UDP $tcc parent 2:13 classid 2:32 htb rate 700Kbit ceil 1000Kbit prio 3 $tcq parent 2:32 pfifo limit 30 # generic NORMAL $tcc parent 2:13 classid 2:33 htb rate 2000Kbit ceil 5000Kbit prio 5 $tcq parent 2:33 sfq limit 50 perturb 1 # generic BULK $tcc parent 2:13 classid 2:34 htb rate 1000Kbit ceil 2000Kbit prio 7 $tcq parent 2:34 sfq limit 50 perturb 1 ------------------------------------------------------------------------------ # tc -s class show dev lan0 class htb 10:1 root rate 100000Kbit ceil 100000Kbit burst 126599b cburst 126599b Sent 68351264 bytes 527234 pkt (dropped 0, overlimits 0 requeues 0) rate 464bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 1924 tokens: 10118 ctokens: 10118 class htb 10:10 parent 10:1 leaf 825b: prio 7 rate 80000Kbit ceil 100000Kbit burst 101599b cburst 126599b Sent 68348547 bytes 527215 pkt (dropped 0, overlimits 0 requeues 0) rate 576bit 0pps backlog 0b 0p requeues 0 lended: 527215 borrowed: 0 giants: 1924 tokens: 10147 ctokens: 10118 class htb 10:11 parent 10:1 leaf 1: prio 3 rate 2048Kbit ceil 2048Kbit burst 4159b cburst 4159b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 16249 ctokens: 16249 class htb 10:12 parent 10:1 leaf 2: prio 3 rate 10000Kbit ceil 10000Kbit burst 1 4099b cburst 14099b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 11280 ctokens: 11280 class htb 1:1 root rate 2048Kbit ceil 2048Kbit burst 4159b cburst 4159b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 16249 ctokens: 16249 class htb 1:14 parent 1:1 rate 256000bit ceil 1024Kbit burst 1919b cburst 2879b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 60000 ctokens: 22500 class htb 2:1 root rate 10000Kbit ceil 10000Kbit burst 14099b cburst 14099b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 11280 ctokens: 11280 class htb 2:13 parent 2:1 rate 3000Kbit ceil 5000Kbit burst 5349b cburst 7849b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 14266 ctokens: 12560 # tc -s qdisc show dev lan0 qdisc htb 10: r2q 10 default 0 direct_packets_stat 10390983 Sent 4202459134 bytes 10919087 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 qdisc htb 1: parent 10:11 r2q 10 default 0 direct_packets_stat 0 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 qdisc htb 2: parent 10:12 r2q 10 default 0 direct_packets_stat 0 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 Regards, Borg From pranavadesai at gmail.com Mon Aug 20 21:17:48 2007 From: pranavadesai at gmail.com (Pranav Desai) Date: Mon Aug 20 21:18:10 2007 Subject: [LARTC] How to debug iproute2 ? Message-ID: Hello All, I an having some trouble with src-based policy routing, and I was wondering if there is a way to debug iproute2. I am not sure whether there is some problem with the network setup or there is some issue with iproute2, hence I would like to debug it and see whats happening. I would appreciate any help. Thanks -- Pranav ------------------------------ http://pd.dnsalias.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070820/f3df79c5/attachment.html From salim.si at cipherium.com.tw Tue Aug 21 05:44:59 2007 From: salim.si at cipherium.com.tw (Salim S I) Date: Tue Aug 21 05:45:22 2007 Subject: [LARTC] Policy base forwarding issues In-Reply-To: Message-ID: <000a01c7e3a5$aa283820$b9021d0a@SalimSi> Why don't you use DNAT ? The via address is supposed to be the address of nexthop router. -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Pranav Desai Sent: Saturday, August 18, 2007 6:53 AM To: lartc Subject: [LARTC] Policy base forwarding issues Hello All, I am trying to setup a linux box as a forwarding router based of src IP. The problem is that it does forward the pkts to the intended server specified in the ip rule, but it also forwards it to the original dst (dst specified in the pkt). Here is the setup: [10.1.0.166] [192.168.1.225] | | | [A] [B] | |-------[10.1.0.63/172.16.1.63] ----------- [172.16.1.64/192.168.1.65] ---------| | linux box only has linux-router in question | | net.ipv4.ip_forward=1 | | | [10.1.0.167] [192.168.1.100] A - is just a linux box doing forwarding for the 2 networks 10.1.x.x - > 172.16.1.x. B - is the linux router which I want to setup as forwarding. The pkts come from 10.1.0.166 and .167 -> to 192.168.1.100 I want to setup rules on [B] to forward all pkts with src addr. 10.1.0.166 to 192.168.1.225. And, all pkts from 10.1.0.167 to 192.168.1.100 should still go to 192.168.1.100. Here are the rules I setup. [root@forwarder ~]# ip rule sh 0: from all lookup local 32765: from 10.1.0.166 lookup 225 32766: from all lookup main 32767: from all lookup default [root@forwarder ~]# ip ro sh tab 225 192.168.1.0/24 via 192.168.1.225 dev eth1 The pkts still go to both .225 and .100. I checked on another machine connected to the same switch as 192.168.1.100 and 192.168.1.225 and its not receiving the pkts. So, it doesnt seem like the switch is screwing up and broadcasting the packets everywhere. I would appreciate any kind of help or pointers. Thanks for your time. -- pranav ------------------------------ http://pd.dnsalias.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070821/8ad4a843/attachment.htm From mangalregmi at yahoo.com Tue Aug 21 10:07:15 2007 From: mangalregmi at yahoo.com (mangal regmi) Date: Tue Aug 21 10:07:42 2007 Subject: [LARTC] two providers Message-ID: <303673.2397.qm@web50604.mail.re2.yahoo.com> Hi to all i think this is not a new problem for this forum....but its newest for me as i m a new linux lerner. Even if it is new plzz....reply me ur answer..n if its already asked n have solution..plzz forward the solution. My problem is here mentioned: I have fedora core 4 as a linux server. there r two external links connected to this. the settings are as: eth0 ->for internal (that is for LAN) eth2 ->dsl connection eth1 ->cable line connection( this connection has no gateway and netmask address provided so this is connected via ppp0. this is provided from ISP via DHCP but have the fixed ipaddress) i want to use these two link to provide the internet in my LAN where there are about 8 to 10 computers. i want that if any of the link goes down ...the other should continue the internet ...n also while both the links r up..the load should be shared between these two links....so that the net conection and downloads be faster.... i have heard about the scripts....that can do this....but i have no idea how to write these...scripts. i need these to be on after reboot also... i tried my best and i also refered the lartc.org ..but i could do a little only. WHAT I DID: it works very well if i connect both of the links and the default path is via ppp0. but suppose if that is(ppp0) disconnected then the dsl connection can handle only upto 15/16 seconds. after that it disconnects . whats the solution ...plzz...as..soon as..possible...help..me...i m in big trouble.... UR SMALL HELP WILL BE A BIG BOON FOR ME Remember that i don't have gateway and netmask of eth1 connection. it has ip address only.it is NATed via ppp0. and also my all working are based on lartc.org only...in case of dsl connection i have just replaced the ip and gateways with my ip and gateways....n in case of ppp0 conection i have put ppp0 in the place of gateway n netmask and in place of ip i have given the ip of that link. THANKS IN ADVANCE --------------------------------- Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070821/d372968e/attachment.html From indunil75 at gmail.com Tue Aug 21 10:53:50 2007 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Tue Aug 21 10:53:57 2007 Subject: [LARTC] two providers In-Reply-To: <303673.2397.qm@web50604.mail.re2.yahoo.com> References: <303673.2397.qm@web50604.mail.re2.yahoo.com> Message-ID: <7ed6b0aa0708210153j798fe5a5q45528bda966339c1@mail.gmail.com> On 8/21/07, mangal regmi wrote: > > Hi to all > i think this is not a new problem for this forum....but its newest for me > as i m a new linux lerner. Even if it is new plzz....reply me ur answer..n > if its already asked n have solution..plzz forward the solution. My problem > is here mentioned: > I have fedora core 4 as a linux server. there r two external links > connected to this. I there are 2 external links, What is the file /etc/sysconfig/network like? Can you witre down the file? the settings are as: eth0 ->for internal (that is for LAN) > eth2 ->dsl connection > eth1 ->cable line connection( this connection > has no gateway and netmask address provided so this is connected via ppp0. > this is provided from ISP via DHCP but have the fixed ipaddress) Hey, What > is this FIXED ip address? Is it a perment address? > YOUR eth0 of Fedora Server is for internal (that is for LAN) YOUR eth2 of Fedora Server is connected to the dsl connection. YOUR eth1 of Fedora Server is connected to the cable line connection. It has a ip. i want to use these two link to provide the internet in my LAN where there > are about 8 to 10 computers. i want that if any of the link goes down ...the > other should continue the internet ...n also while both the links r up..the > load should be shared between these two links....so that the net conection > and downloads be faster.... > > i have heard about the scripts....that can do this....but i have no idea > how to write these...scripts. i need these to be on after reboot also... To come up the script after the reboot, There are two ways. Either you have to write everytning IN /etc/rc.d/rc.local or write the script as a seperate file and and make it executable by using chmod. Pls see bellow. first create the file as follows. touch /etc/rc.d/loadbalancing then , By using vi editor write the script and save it as usual. Then , Make it executable as follows. chmod 755 /etc/rc.d/loadbalancing and finally add PATH OF THE SCRIPT to /etc/rc.d/rc.local file as follows. etc/rc.d/loadbalancing That's it. Now, whenever you reboot the system, the scripts also comes up with the system. i tried my best and i also refered the lartc.org ..but i could do a little > only. > > WHAT I DID: it works very well if i connect both of the links and the > default path is via ppp0. but suppose if that is(ppp0) disconnected then > the dsl connection can handle only upto 15/16 seconds. after that it > disconnects . whats the solution ...plzz...as..soon > as..possible...help..me...i m in big trouble.... > UR SMALL HELP WILL BE A BIG BOON FOR ME COULD YOU PLS write down your RULES . then, I will be able to help you. Remember that i don't have gateway and netmask of eth1 connection. it has > ip address only.it is NATed via ppp0. and also my all working are based on > lartc.org only...in case of dsl connection i have just replaced the ip and > gateways with my ip and gateways....n in case of ppp0 conection i have put > ppp0 in the place of gateway n netmask and in place of ip i have given the > ip of that link. The above paragraph is not so clear. THANKS IN ADVANCE > > ------------------------------ > Luggage? GPS? Comic books? > Check out fitting gifts for gradsat Yahoo! Search. > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070821/1d95d3f9/attachment-0001.htm From mangalregmi at yahoo.com Tue Aug 21 12:43:08 2007 From: mangalregmi at yahoo.com (mangal regmi) Date: Tue Aug 21 12:43:18 2007 Subject: [LARTC] two providers Message-ID: <330981.60268.qm@web50604.mail.re2.yahoo.com> many many thanks for ur help ok i m making my problem more clear... my LAN ip is :172.16.100.0/24 ip of eth1 is :202.51.78.122 and this is fixed and permanent address and it has no netmask and gateway(so, to provide internet to my LAN i have used the ppp0 for this connection ) ip of eth2 : 203.78.165.154; netmask:255.255.255.248; gateway:203.78.165.153 for eth0 my file is :/etc/sysconfig/network-scripts/ifcfg-eth0 for eth1 :/etc/sysconfig/network-scripts/ifcfg-eth1 for eth2:/etc/sysconfig/network-scripts/ifcfg-eth2 and my rules are placed in /etc/iproute2/rt_tables as suggested by lartc.org and the whole copy of my above file is copied below:::>>> # # reserved values # #255 local #254 main #253 default #0 unspec # # local # #1 inr.ruhep # # below this is added by me and above this is by default # two addational routing tables #ip route add 202.51.78.0/24 dev eth1 src ppp0 table T1 #ip route add default via ppp0 table T1 ip route add 203.78.165.0/24 dev eth2 src 203.78.165.154 table T2 ip route add default via 203.78.165.153 table T2 # main routing table ip route add 202.51.78.0/24 dev eth1 src ppp0 ip route add 203.78.165.0/24 dev src 203.78.165.154 # preference for default route ip route add default via 202.51.76.122 # routing rules ip rule add from ppp0 table T1 ip rule add from 203.78.165.154 table T2 # entries for local network ip route add 172.16.100.0/24 dev eth0 table T1 ip route add 203.78.165.0/24 dev eth2 table T1 ip route add 127.0.0.0/8 dev lo table T1 ip route add 172.16.100.0/24 dev eth0 table T2 ip route add 202.51.78.0/24 dev eth1 table T2 ip route add 127.0.0.0/8 dev lo table T2 #load balancing ip route add default scope global nexthop via ppp0 dev eth1 weight 1 nexthop via 203.78.165.153 dev eth2 weight 1 this above one is the full and exact copy of my working.... --------------------------------- Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos & more. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070821/494f83d0/attachment.html From mangalregmi at yahoo.com Tue Aug 21 12:44:37 2007 From: mangalregmi at yahoo.com (mangal regmi) Date: Tue Aug 21 12:44:45 2007 Subject: [LARTC] again the same prob that is ::two providers (heres full description ) Message-ID: <39051.26316.qm@web50605.mail.re2.yahoo.com> many many thanks for ur help ok i m making my problem more clear... my LAN ip is :172.16.100.0/24 ip of eth1 is :202.51.78.122 and this is fixed and permanent address and it has no netmask and gateway(so, to provide internet to my LAN i have used the ppp0 for this connection ) ip of eth2 : 203.78.165.154; netmask:255.255.255.248; gateway:203.78.165.153 for eth0 my file is :/etc/sysconfig/network-scripts/ifcfg-eth0 for eth1 :/etc/sysconfig/network-scripts/ifcfg-eth1 for eth2:/etc/sysconfig/network-scripts/ifcfg-eth2 and my rules are placed in /etc/iproute2/rt_tables as suggested by lartc.org and the whole copy of my above file is copied below:::>>> # # reserved values # #255 local #254 main #253 default #0 unspec # # local # #1 inr.ruhep # # below this is added by me and above this is by default # two addational routing tables #ip route add 202.51.78.0/24 dev eth1 src ppp0 table T1 #ip route add default via ppp0 table T1 ip route add 203.78.165.0/24 dev eth2 src 203.78.165.154 table T2 ip route add default via 203.78.165.153 table T2 # main routing table ip route add 202.51.78.0/24 dev eth1 src ppp0 ip route add 203.78.165.0/24 dev src 203.78.165.154 # preference for default route ip route add default via 202.51.76.122 # routing rules ip rule add from ppp0 table T1 ip rule add from 203.78.165.154 table T2 # entries for local network ip route add 172.16.100.0/24 dev eth0 table T1 ip route add 203.78.165.0/24 dev eth2 table T1 ip route add 127.0.0.0/8 dev lo table T1 ip route add 172.16.100.0/24 dev eth0 table T2 ip route add 202.51.78.0/24 dev eth1 table T2 ip route add 127.0.0.0/8 dev lo table T2 #load balancing ip route add default scope global nexthop via ppp0 dev eth1 weight 1 nexthop via 203.78.165.153 dev eth2 weight 1 this above one is the full and exact copy of my working.... Indunil Jayasooriya wrote: On 8/21/07, mangal regmi wrote: Hi to all i think this is not a new problem for this forum....but its newest for me as i m a new linux lerner. Even if it is new plzz....reply me ur answer..n if its already asked n have solution..plzz forward the solution. My problem is here mentioned: I have fedora core 4 as a linux server. there r two external links connected to this. I there are 2 external links, What is the file /etc/sysconfig/network like? Can you witre down the file? the settings are as: eth0 ->for internal (that is for LAN) eth2 ->dsl connection eth1 ->cable line connection( this connection has no gateway and netmask address provided so this is connected via ppp0. this is provided from ISP via DHCP but have the fixed ipaddress) Hey, What is this FIXED ip address? Is it a perment address? YOUR eth0 of Fedora Server is for internal (that is for LAN) YOUR eth2 of Fedora Server is connected to the dsl connection. YOUR eth1 of Fedora Server is connected to the cable line connection. It has a ip. i want to use these two link to provide the internet in my LAN where there are about 8 to 10 computers. i want that if any of the link goes down ...the other should continue the internet ...n also while both the links r up..the load should be shared between these two links....so that the net conection and downloads be faster.... i have heard about the scripts....that can do this....but i have no idea how to write these...scripts. i need these to be on after reboot also... To come up the script after the reboot, There are two ways. Either you have to write everytning IN /etc/rc.d/rc.local or write the script as a seperate file and and make it executable by using chmod. Pls see bellow. first create the file as follows. touch /etc/rc.d/loadbalancing then , By using vi editor write the script and save it as usual. Then , Make it executable as follows. chmod 755 /etc/rc.d/loadbalancing and finally add PATH OF THE SCRIPT to /etc/rc.d/rc.local file as follows. etc/rc.d/loadbalancing That's it. Now, whenever you reboot the system, the scripts also comes up with the system. i tried my best and i also refered the lartc.org ..but i could do a little only. WHAT I DID: it works very well if i connect both of the links and the default path is via ppp0. but suppose if that is(ppp0) disconnected then the dsl connection can handle only upto 15/16 seconds. after that it disconnects . whats the solution ...plzz...as..soon as..possible...help..me...i m in big trouble.... UR SMALL HELP WILL BE A BIG BOON FOR ME COULD YOU PLS write down your RULES . then, I will be able to help you. Remember that i don't have gateway and netmask of eth1 connection. it has ip address only.it is NATed via ppp0. and also my all working are based on lartc.org only...in case of dsl connection i have just replaced the ip and gateways with my ip and gateways....n in case of ppp0 conection i have put ppp0 in the place of gateway n netmask and in place of ip i have given the ip of that link. The above paragraph is not so clear. THANKS IN ADVANCE --------------------------------- Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Thank you Indunil Jayasooriya --------------------------------- Yahoo! oneSearch: Finally, mobile search that gives answers, not web links. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070821/4a526a55/attachment.htm From indunil75 at gmail.com Tue Aug 21 13:11:44 2007 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Tue Aug 21 13:11:59 2007 Subject: [LARTC] two providers In-Reply-To: <360101.5457.qm@web50609.mail.re2.yahoo.com> References: <7ed6b0aa0708210153j798fe5a5q45528bda966339c1@mail.gmail.com> <360101.5457.qm@web50609.mail.re2.yahoo.com> Message-ID: <7ed6b0aa0708210411n9507c10rec89c0e095b85c90@mail.gmail.com> Pls either DELETE your script or save it somewhere else. and Now, replace your script with this. AND TRY, if it works. this is the script. echo "11 T1" >> /etc/iproute2/rt_tables echo "12 T2" >> /etc/iproute2/rt_tables ip route add 202.51.78.0/24 dev eth1 src 202.51.78.122 table T1 ip route add default via ppp0 table T1 ip route add 203.78.165.0/29 dev eth2 src 203.78.165.154 table T2 ip route add default via 203.78.165.153 table T2 * ip rule add from *202.51.78.122 *table T1 ip rule add from 203.78.165.154 table T2* ip route add default scope global nexthop via 202.51.78.122 dev eth1 weight 1 nexthop via 203.78.165.153 dev eth2 weight 1 THAT'S it. try and let me know. N-JOY IPROUTE2 On 8/21/07, mangal regmi wrote: > > many many thanks for ur help > ok i m making my problem more clear... > > my LAN ip is :172.16.100.0/24 > ip of eth1 is :202.51.78.122 and this is fixed and permanent address > and it has no netmask and gateway(so, to provide internet > to my LAN i have used the ppp0 for this connection ) > ip of eth2 : 203.78.165.154; netmask:255.255.255.248; gateway: > 203.78.165.153 > > for eth0 my file is :/etc/sysconfig/network-scripts/ifcfg-eth0 > for eth1 :/etc/sysconfig/network-scripts/ifcfg-eth1 > for eth2:/etc/sysconfig/network-scripts/ifcfg-eth2 > > and my rules are placed in /etc/iproute2/rt_tables as suggested by > lartc.org > > and the whole copy of my above file is copied below:::>>> > > > # > # reserved values > # > #255 local > #254 main > #253 default > #0 unspec > # > # local > # > #1 inr.ruhep > > # > # below this is added by me and above this is by default > # two addational routing tables > > #ip route add 202.51.78.0/24 dev eth1 src ppp0 table T1 > #ip route add default via ppp0 table T1 > ip route add 203.78.165.0/24 dev eth2 src 203.78.165.154 table T2 > ip route add default via 203.78.165.153 table T2 > > # main routing table > > *ip route add 202.51.78.0/24 dev eth1 src ppp0 > ip route add 203.78.165.0/24 dev src 203.78.165.154 > > # preference for default route > > ip route add default via 202.51.76.122 > > # routing rules > > ip rule add from ppp0 table T1 > ip rule add from 203.78.165.154 table T2 > > # entries for local network > > ip route add 172.16.100.0/24 dev eth0 table T1 > ip route add 203.78.165.0/24 dev eth2 table T1 > ip route add 127.0.0.0/8 dev lo table T1 > ip route add 172.16.100.0/24 dev eth0 table T2 > ip route add 202.51.78.0/24 dev eth1 table T2 > ip route add 127.0.0.0/8 dev lo table T2 > > #load balancing > ip route add default scope global nexthop via ppp0 dev eth1 weight 1 > nexthop via 203.78.165.153 dev eth2 weight 1 > > this above one is the full and exact copy of my working.... > > > > > Indunil Jayasooriya > * wrote: > > > > On 8/21/07, mangal regmi wrote: > > > > Hi to all > > i think this is not a new problem for this forum....but its newest for > > me as i m a new linux lerner. Even if it is new plzz....reply me ur > > answer..n if its already asked n have solution..plzz forward the solution. > > My problem is here mentioned: > > I have fedora core 4 as a linux server. there r two external links > > connected to this. > > > I there are 2 external links, What is the file /etc/sysconfig/networklike? > > Can you witre down the file? > > > the settings are as: eth0 ->for internal (that is for LAN) > > eth2 ->dsl connection > > eth1 ->cable line connection( this > > connection has no gateway and netmask address provided so this is connected > > via ppp0. this is provided from ISP via DHCP but have the fixed ipaddress) > > Hey, What is this FIXED ip address? Is it a perment address? > > > > YOUR eth0 of Fedora Server is for internal (that is for LAN) > YOUR eth2 of Fedora Server is connected to the dsl connection. > YOUR eth1 of Fedora Server is connected to the cable line connection. It > has a ip. > > > i want to use these two link to provide the internet in my LAN where there > > are about 8 to 10 computers. i want that if any of the link goes down ...the > > other should continue the internet ...n also while both the links r up..the > > load should be shared between these two links....so that the net conection > > and downloads be faster.... > > > > i have heard about the scripts....that can do this....but i have no idea > > how to write these...scripts. i need these to be on after reboot also... > > > To come up the script after the reboot, There are two ways. Either you > have to write everytning IN /etc/rc.d/rc.local or write the script as a > seperate file and and make it executable by using chmod. > > Pls see bellow. > > first create the file as follows. > > touch /etc/rc.d/loadbalancing > > then , By using vi editor write the script and save it as usual. Then , > Make it executable as follows. > > chmod 755 /etc/rc.d/loadbalancing > > and finally add PATH OF THE SCRIPT to /etc/rc.d/rc.local file as follows. > > etc/rc.d/loadbalancing > > That's it. Now, whenever you reboot the system, the scripts also comes up > with the system. > > > > i tried my best and i also refered the lartc.org ..but i could do a little > > only. > > > > WHAT I DID: it works very well if i connect both of the links and the > > default path is via ppp0. but suppose if that is(ppp0) disconnected then > > the dsl connection can handle only upto 15/16 seconds. after that it > > disconnects . whats the solution ...plzz...as..soon > > as..possible...help..me...i m in big trouble.... > > UR SMALL HELP WILL BE A BIG BOON FOR ME > > > > COULD YOU PLS write down your RULES . then, I will be able to help you. > > > Remember that i don't have gateway and netmask of eth1 connection. it has > > ip address only.it is NATed via ppp0. and also my all working are based > > on lartc.org only...in case of dsl connection i have just replaced the > > ip and gateways with my ip and gateways....n in case of ppp0 conection i > > have put ppp0 in the place of gateway n netmask and in place of ip i have > > given the ip of that link. > > > The above paragraph is not so clear. > > > THANKS IN ADVANCE > > ------------------------------ > > Luggage? GPS? Comic books? > > Check out fitting gifts for grads > > at Yahoo! Search. > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > -- > Thank you > Indunil Jayasooriya > > > ------------------------------ > Choose the right car based on your needs. Check out Yahoo! Autos new Car > Finder tool. > > -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070821/493de2ee/attachment-0001.html From salim.si at cipherium.com.tw Tue Aug 21 13:31:00 2007 From: salim.si at cipherium.com.tw (Salim S I) Date: Tue Aug 21 13:31:23 2007 Subject: [LARTC] two providers In-Reply-To: <7ed6b0aa0708210411n9507c10rec89c0e095b85c90@mail.gmail.com> Message-ID: <003701c7e3e6$c37b00f0$b9021d0a@SalimSi> > "ip route add default via ppp0 table T1" via is not for device name. After ppp0 is up, type ifconfig and see the gateway,and use that gateway. -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Indunil Jayasooriya Sent: Tuesday, August 21, 2007 7:12 PM To: mangal regmi; lartc@mailman.ds9a.nl Subject: Re: [LARTC] two providers Pls either DELETE your script or save it somewhere else. and Now, replace your script with this. AND TRY, if it works. this is the script. echo "11 T1" >> /etc/iproute2/ rt_tables echo "12 T2" >> /etc/iproute2/rt_tables ip route add 202.51.78.0/24 dev eth1 src 202.51.78.122 table T1 ip route add default via ppp0 table T1 ip route add 203.78.165.0/29 dev eth2 src 203.78.165.154 table T2 ip route add default via 203.78.165.153 table T2 ip rule add from 202.51.78.122 table T1 ip rule add from 203.78.165.154 table T2 ip route add default scope global nexthop via 202.51.78.122 dev eth1 weight 1 nexthop via 203.78.165.153 dev eth2 weight 1 THAT'S it. try and let me know. N-JOY IPROUTE2 On 8/21/07, mangal regmi wrote: many many thanks for ur help ok i m making my problem more clear... my LAN ip is :172.16.100.0/24 ip of eth1 is :202.51.78.122 and this is fixed and permanent address and it has no netmask and gateway(so, to provide internet to my LAN i have used the ppp0 for this connection ) ip of eth2 : 203.78.165.154; netmask: 255.255.255.248 ; gateway:203.78.165.153 for eth0 my file is :/etc/sysconfig/network-scripts/ifcfg-eth0 for eth1 :/etc/sysconfig/network-scripts/ifcfg-eth1 for eth2:/etc/sysconfig/network-scripts/ifcfg-eth2 and my rules are placed in /etc/iproute2/rt_tables as suggested by lartc.org and the whole copy of my above file is copied below:::>>> # # reserved values # #255 local #254 main #253 default #0 unspec # # local # #1 inr.ruhep # # below this is added by me and above this is by default # two addational routing tables #ip route add 202.51.78.0/24 dev eth1 src ppp0 table T1 #ip route add default via ppp0 table T1 ip route add 203.78.165.0/24 dev eth2 src 203.78.165.154 table T2 ip route add default via 203.78.165.153 table T2 # main routing table ip route add 202.51.78.0/24 dev eth1 src ppp0 ip route add 203.78.165.0/24 dev src 203.78.165.154 # preference for default route ip route add default via 202.51.76.122 # routing rules ip rule add from ppp0 table T1 ip rule add from 203.78.165.154 table T2 # entries for local network ip route add 172.16.100.0/24 dev eth0 table T1 ip route add 203.78.165.0/24 dev eth2 table T1 ip route add 127.0.0.0/8 dev lo table T1 ip route add 172.16.100.0/24 dev eth0 table T2 ip route add 202.51.78.0/24 dev eth1 table T2 ip route add 127.0.0.0/8 dev lo table T2 #load balancing ip route add default scope global nexthop via ppp0 dev eth1 weight 1 nexthop via 203.78.165.153 dev eth2 weight 1 this above one is the full and exact copy of my working.... Indunil Jayasooriya < indunil75@gmail.com> wrote: On 8/21/07, mangal regmi wrote: Hi to all i think this is not a new problem for this forum....but its newest for me as i m a new linux lerner. Even if it is new plzz....reply me ur answer..n if its already asked n have solution..plzz forward the solution. My problem is here mentioned: I have fedora core 4 as a linux server. there r two external links connected to this. I there are 2 external links, What is the file /etc/sysconfig/network like? Can you witre down the file? the settings are as: eth0 ->for internal (that is for LAN) eth2 ->dsl connection eth1 ->cable line connection( this connection has no gateway and netmask address provided so this is connected via ppp0. this is provided from ISP via DHCP but have the fixed ipaddress) Hey, What is this FIXED ip address? Is it a perment address? YOUR eth0 of Fedora Server is for internal (that is for LAN) YOUR eth2 of Fedora Server is connected to the dsl connection. YOUR eth1 of Fedora Server is connected to the cable line connection. It has a ip. i want to use these two link to provide the internet in my LAN where there are about 8 to 10 computers. i want that if any of the link goes down ...the other should continue the internet ...n also while both the links r up..the load should be shared between these two links....so that the net conection and downloads be faster.... i have heard about the scripts....that can do this....but i have no idea how to write these...scripts. i need these to be on after reboot also... To come up the script after the reboot, There are two ways. Either you have to write everytning IN /etc/rc.d/rc.local or write the script as a seperate file and and make it executable by using chmod. Pls see bellow. first create the file as follows. touch /etc/rc.d/loadbalancing then , By using vi editor write the script and save it as usual. Then , Make it executable as follows. chmod 755 /etc/rc.d/loadbalancing and finally add PATH OF THE SCRIPT to /etc/rc.d/rc.local file as follows. etc/rc.d/loadbalancing That's it. Now, whenever you reboot the system, the scripts also comes up with the system. i tried my best and i also refered the lartc.org ..but i could do a little only. WHAT I DID: it works very well if i connect both of the links and the default path is via ppp0. but suppose if that is(ppp0) disconnected then the dsl connection can handle only upto 15/16 seconds. after that it disconnects . whats the solution ...plzz...as..soon as..possible...help..me...i m in big trouble.... UR SMALL HELP WILL BE A BIG BOON FOR ME COULD YOU PLS write down your RULES . then, I will be able to help you. Remember that i don't have gateway and netmask of eth1 connection. it has ip address only.it is NATed via ppp0. and also my all working are based on lartc.org only...in case of dsl connection i have just replaced the ip and gateways with my ip and gateways....n in case of ppp0 conection i have put ppp0 in the place of gateway n netmask and in place of ip i have given the ip of that link. The above paragraph is not so clear. THANKS IN ADVANCE _____ Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Thank you Indunil Jayasooriya _____ Choose the right car based on your needs. Check out Yahoo! Autos new Car Finder tool. -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070821/24b21ee7/attachment-0001.htm From maillist1 at argontech.net Tue Aug 21 15:19:46 2007 From: maillist1 at argontech.net (Marco C. Coelho) Date: Tue Aug 21 15:11:34 2007 Subject: [LARTC] HTB tree is too deep Message-ID: <46CAE672.3080607@argontech.net> I've got a linux (2.6.18-8.1.6.el5.centos.plus) router doing pppoe termination and HTB rate limiting. the number of connections has grown quite a bit in the last few months, and I'm now getting a: HTB tree is too deep message on the monitor. where is the setting for max depth? _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From gtaylor at riverviewtech.net Tue Aug 21 18:13:38 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Tue Aug 21 18:11:04 2007 Subject: [LARTC] Rout looping through local host. Message-ID: <46CB0F32.7040206@riverviewtech.net> After many many hours of frustration and failures I'm almost to the point that I don't think this is even currently possible with Linux. With out going in to too much detail, I am effectively wanting to do the following. I want to be able to take traffic in from a local LAN on eth0 and route it out eth1 to a default gateway with a static IP. I want said default gateway with the static IP to be assigned to eth2. I then want to route and masquerade traffic that came in eth2 out eth3. (Enter ASCII art) --------------+ Context 0 | +------+ +-----------+ +---+ eth0 |------+ Local LAN | | +------+ +-----------+ | | | +------+ +---+ eth1 +---+ +------+ | | | ==============|===|=== Context 1 | | +------+ | +---+ eth2 +---+ | +------+ | | | +------+ +----------+ +---+ eth3 +------+ Internet | +------+ +----------+ | --------------+ I want the ""router in context 0 to effectively (for the sake of discussion) do basic static NAT routing for the local LAN. This router will have two static IP addresses, LAN facing and upstream router facing. I want the ""router in context 1 to effectively (for the sake of discussion) do basic MASQUERADing for the equipment behind it. This router will have one static IP facing the LAN and one dynamic IP facing its upstream provider. I have followed Julian Anastasov's directions (http://www.ssi.bg/~ja/send-to-self.txt) and applied his Send-to-Self patch (http://www.ssi.bg/~ja/send-to-self-2.6.22-1.diff) to a stock 2.6.22 kernel and I am able to ping the IP address assigned to eth2 from eth1 with out any problems. However I don't think Julian's patch covers routing traffic through (not terminating at or originating locally) the cross over cable. I have also done some experimenting on my own to see if this is even remotely possible to do by altering the routing tables in the kernel. The closest that I can come is to remove all references to eth2 from the kernel's 'local' routing table so that the kernel is not aware that the IP address in question is local to the system thus making it think that it needs to send the traffic out eth1 which is on the same subnet as the target IP assigned to eth2. I can tell from packet counters that this does indeed send the traffic like it is suppose to do. However when the packet arrives in eth2 the kernel does not know what to do with it as it does not see the IP in question as being bound to any thing any where and drops the packet. To this end I have re-added the entries from the 'local' routing table to a new routing table 'local_new' and set up an 'ip rule' that indicates that any traffic coming in the eth2 interface should use this 'local_new' routing table. However I have no way to know if this is doing any good or not as I can not progress further. I have also tried with out success to use the CONNMARKing in conjunction with (packet) MARKing to use an additional 'ip rule' to specify that any traffic that would be leaving the system should also use the 'local_new' routing table. However all of this is to no avail. If I stick more with Julian's 'Send-to-Self' document and just alter source IPs for different destinations (per the end of said document) I can get the traffic to flow through the system, but not as I want it to. To the best of my knowledge traffic will come in eth0 and go directly out eth3 while somehow in the return path passing through eth2, but never touching eth1. If I can not get this to work the way that I need / want it to I will have to fall back to UML routers to fulfill the role of the context 1 ""router. So any help that any one could provide would be _*GREATLY*_ appreciated. Thanks in advance for any and all help that any one can provide, Grant. . . . From Ralf-Lists at ralfgross.de Tue Aug 21 18:31:05 2007 From: Ralf-Lists at ralfgross.de (Ralf Gross) Date: Tue Aug 21 18:31:34 2007 Subject: [LARTC] bandwidth aggregation between 2 hosts in the same subnet In-Reply-To: <7210.1185911898@death> References: <20070730141010.GA27667@p15145560.pureserver.info> <200707302046.06292.tami@disconnected.de> <20070730204801.GD27667@p15145560.pureserver.info> <200707310952.33633.tami@disconnected.de> <20070731110133.GF6008@p15145560.pureserver.info> <46AF5485.1030205@riverviewtech.net> <7210.1185911898@death> Message-ID: <20070821163105.GB23732@p15145560.pureserver.info> Jay Vosburgh schrieb: > Another similar Rube Goldberg sort of scheme I've set up in the > past (in the lab, for bonding testing, not in a production environment, > your mileage may vary, etc, etc) is to dedicate particular switch ports > to particular vlans. So, e.g., > > linux box eth0 ---- port 1:vlan 99 SWITCH(ES) port2:vlan 99 ---- eth0 linux box > bond0 eth1 ---- port 3:vlan 88 SWITCH(ES) port4:vlan 88 ---- eth1 bond0 > > This sort of arrangement requires setting the Cisco switch ports > to be native to a particular vlan, e.g., "switchport mode access", > "switchport access vlan 88". Theoretically, the intervening switches > will simply pass the vlan traffic through and not decapsulate it until > it reaches its end destination port. You might also have to fool with > the inter-switch links to make sure they're trunking properly (to pass > the vlan traffic). I was able to test the above setup now. Both eth2 interfaces are in vlan 801, each eth3 interface is in vlan 801. bonding is configured in round robin mode, net.ipv4.tcp_reordering = 127. As a basic test I disabled bonding and did a prallel benchmark over both vlans (192.168.1.0/24 + 10.10.0.1/24). # ./linux-i386 -t 10.10.0.1 NETIO - Network Throughput Benchmark, Version 1.26 (C) 1997-2005 Kai Uwe Rommel TCP connection established. Packet size 1k bytes: 73444 KByte/s Tx, 72705 KByte/s Rx. Packet size 2k bytes: 73733 KByte/s Tx, 71534 KByte/s Rx. Packet size 4k bytes: 73418 KByte/s Tx, 72074 KByte/s Rx. Packet size 8k bytes: 73458 KByte/s Tx, 71962 KByte/s Rx. Packet size 16k bytes: 73113 KByte/s Tx, 72132 KByte/s Rx. Packet size 32k bytes: 72719 KByte/s Tx, 73442 KByte/s Rx. Done. # ./linux-i386 -t 192.168.1.1 NETIO - Network Throughput Benchmark, Version 1.26 (C) 1997-2005 Kai Uwe Rommel TCP connection established. Packet size 1k bytes: 74130 KByte/s Tx, 71282 KByte/s Rx. Packet size 2k bytes: 73188 KByte/s Tx, 71663 KByte/s Rx. Packet size 4k bytes: 73321 KByte/s Tx, 72349 KByte/s Rx. Packet size 8k bytes: 73080 KByte/s Tx, 72272 KByte/s Rx. Packet size 16k bytes: 73032 KByte/s Tx, 72307 KByte/s Rx. Packet size 32k bytes: 72995 KByte/s Tx, 72132 KByte/s Rx. Done. This is not 2 x GbE, but but more than just one interface. Next I enabled bonding and repeated the test over the bond0 interfaces. # ./linux-i386 -t 10.60.1.244 NETIO - Network Throughput Benchmark, Version 1.26 (C) 1997-2005 Kai Uwe Rommel TCP connection established. Packet size 1k bytes: 113469 KByte/s Tx, 113990 KByte/s Rx. Packet size 2k bytes: 112990 KByte/s Tx, 114107 KByte/s Rx. Packet size 4k bytes: 110997 KByte/s Tx, 114269 KByte/s Rx. Packet size 8k bytes: 113337 KByte/s Tx, 114338 KByte/s Rx. Packet size 16k bytes: 113587 KByte/s Tx, 113920 KByte/s Rx. Packet size 32k bytes: 113249 KByte/s Tx, 114354 KByte/s Rx. Done. Now I get only the speed of one GbE interface again. ifstat on server a (netio server): eth2 eth3 KB/s in KB/s out KB/s in KB/s out 120257.6 6419.24 120143.6 6416.79 0.00 0.00 0.00 0.00 58908.95 67127.21 56951.31 69093.78 0.00 0.00 0.00 0.00 6277.72 119635.0 6277.95 119910.9 0.00 0.00 0.00 0.00 6306.51 120092.4 6309.26 119892.6 0.00 0.00 0.00 0.00 2945.82 55833.14 2832.18 54014.88 0.00 0.00 0.00 0.00 ifstat on server b (netio "client"): eth2 eth3 KB/s in KB/s out KB/s in KB/s out 6339.45 119813.5 6361.06 119714.8 0.00 0.00 0.00 0.00 8852.77 117313.6 14954.50 111191.7 0.00 0.00 0.00 0.00 119485.3 6268.16 119901.3 6270.50 0.00 0.00 0.00 0.00 120151.5 6305.75 119914.7 6309.08 0.00 0.00 0.00 0.00 117493.9 6179.55 111202.9 5838.42 0.00 0.00 0.00 0.00 It seems that the traffic is equllay shared over both interfaces. Only two switches with the vlans are involved (two buildings). Any ideas? Is this the performance I should get from (nearly) 2x GbE with packet reordering in mind? Ralf From gtaylor at riverviewtech.net Tue Aug 21 21:11:56 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Tue Aug 21 23:40:56 2007 Subject: [LARTC] Re: Rout looping through local host. In-Reply-To: <46CB0F32.7040206@riverviewtech.net> References: <46CB0F32.7040206@riverviewtech.net> Message-ID: <46CB38FC.2080601@riverviewtech.net> After more Googleing and searching through mailing lists with ever widening search terms I think I may have come across something that has some potential. If I understand it correctly the "Linux Virtual Router and Forwarding" project (http://linux-vrf.sourceforge.net/) that has a LOT of potential. I think it might even help me. (More to come.) Grant. . . . From pranavadesai at gmail.com Wed Aug 22 04:41:58 2007 From: pranavadesai at gmail.com (Pranav Desai) Date: Wed Aug 22 04:42:10 2007 Subject: [LARTC] Policy base forwarding issues In-Reply-To: <000a01c7e3a5$aa283820$b9021d0a@SalimSi> References: <000a01c7e3a5$aa283820$b9021d0a@SalimSi> Message-ID: Thanks for the reply. On 8/20/07, Salim S I wrote: > > Why don't you use DNAT ? > > The via address is supposed to be the address of nexthop router. > I could, but on the receiving side we need the IP of the destination for testing some issue. Also, I have had some success with the setup. After setting the rules and routes with explicit devices i.e. ip rul add from 10.1.0.166 dev eth0 table 2 it seems to work a lot better. I will test it a bit more. -- Pranav -----Original Message----- > *From:* lartc-bounces@mailman.ds9a.nl [mailto: > lartc-bounces@mailman.ds9a.nl] *On Behalf Of *Pranav Desai > *Sent:* Saturday, August 18, 2007 6:53 AM > *To:* lartc > *Subject:* [LARTC] Policy base forwarding issues > > > > Hello All, > > I am trying to setup a linux box as a forwarding router based of src IP. > The problem is that it does forward the pkts to the intended server > specified in the ip rule, but it also forwards it to the original dst (dst > specified in the pkt). > > > Here is the setup: > > [10.1.0.166] > [192.168.1.225] > | > | > | [A] > [B] | > |-------[10.1.0.63/172.16.1.63] ----------- [ > 172.16.1.64/192.168.1.65] ---------| > | linux box only has linux-router in > question | > | net.ipv4.ip_forward=1 > | > > | > | > [10.1.0.167] > [192.168.1.100] > > > A - is just a linux box doing forwarding for the 2 networks 10.1.x.x - > > 172.16.1.x. > B - is the linux router which I want to setup as forwarding. > > The pkts come from 10.1.0.166 and .167 -> to 192.168.1.100 > I want to setup rules on [B] to forward all pkts with src addr. 10.1.0.166to > 192.168.1.225. > And, all pkts from 10.1.0.167 to 192.168.1.100 should still go to > 192.168.1.100. > > Here are the rules I setup. > > [root@forwarder ~]# ip rule sh > 0: from all lookup local > 32765: from 10.1.0.166 lookup 225 > 32766: from all lookup main > 32767: from all lookup default > > [root@forwarder ~]# ip ro sh tab 225 > 192.168.1.0/24 via 192.168.1.225 dev eth1 > > The pkts still go to both .225 and .100. I checked on another machine > connected to the same switch as 192.168.1.100 and 192.168.1.225 and its > not receiving the pkts. So, it doesnt seem like the switch is screwing up > and broadcasting the packets everywhere. > > I would appreciate any kind of help or pointers. > > Thanks for your time. > > -- pranav > > ------------------------------ > http://pd.dnsalias.org > -- ------------------------------ http://pd.dnsalias.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070821/2528ab1d/attachment-0001.html From indunil75 at gmail.com Wed Aug 22 06:04:45 2007 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Wed Aug 22 06:04:59 2007 Subject: [LARTC] two providers In-Reply-To: <003701c7e3e6$c37b00f0$b9021d0a@SalimSi> References: <7ed6b0aa0708210411n9507c10rec89c0e095b85c90@mail.gmail.com> <003701c7e3e6$c37b00f0$b9021d0a@SalimSi> Message-ID: <7ed6b0aa0708212104u50dab948ic9d487ce9f4648@mail.gmail.com> On 8/21/07, Salim S I wrote: > > > "ip route add default via ppp0 table T1" > > > > via is not for device name. > YES, THAT'S right. Small error. pls forgive me. After ppp0 is up, type ifconfig and see the gateway,and use that gateway. > YES, that is right. Pls DO it. And also , Pls let me rectify the below rule as well pls pay attnetion to ipaddressofppp0 written in BOLD letters. in the script , I have used the ip address of eth1 (i.e- 202.51.78.122). pls replace that rule with the below rule. ip route add default scope global nexthop via ipaddressoppp0 dev eth1 weight 1 nexthop via 203.78.165.153 dev eth2 weight 1 -----Original Message----- > *From:* lartc-bounces@mailman.ds9a.nl [mailto: > lartc-bounces@mailman.ds9a.nl] *On Behalf Of *Indunil Jayasooriya > *Sent:* Tuesday, August 21, 2007 7:12 PM > *To:* mangal regmi; lartc@mailman.ds9a.nl > *Subject:* Re: [LARTC] two providers > > > > > Pls either DELETE your script or save it somewhere else. > > and Now, replace your script with this. > > AND TRY, if it works. > > this is the script. > > > echo "11 T1" >> /etc/iproute2/ rt_tables > echo "12 T2" >> /etc/iproute2/rt_tables > > > ip route add 202.51.78.0/24 dev eth1 src 202.51.78.122 table T1 > ip route add default via ppp0 table T1 > ip route add 203.78.165.0/29 dev eth2 src > 203.78.165.154 table T2 > ip route add default via 203.78.165.153 table T2 > > *ip rule add from *202.51.78.122 *table T1 > ip rule add from 203.78.165.154 table T2* > > > ip route add default scope global nexthop via 202.51.78.122 dev eth1 > weight 1 nexthop via 203.78.165.153 dev eth2 weight 1 > > > > THAT'S it. try and let me know. > > N-JOY IPROUTE2 > > > > > On 8/21/07, *mangal regmi* wrote: > > many many thanks for ur help > ok i m making my problem more clear... > > my LAN ip is :172.16.100.0/24 > ip of eth1 is :202.51.78.122 and this is fixed and permanent address > and it has no netmask and gateway(so, to provide internet > to my LAN i have used the ppp0 for this connection ) > ip of eth2 : 203.78.165.154; netmask: 255.255.255.248; gateway: > 203.78.165.153 > > for eth0 my file is :/etc/sysconfig/network-scripts/ifcfg-eth0 > for eth1 :/etc/sysconfig/network-scripts/ifcfg-eth1 > for eth2:/etc/sysconfig/network-scripts/ifcfg-eth2 > > and my rules are placed in /etc/iproute2/rt_tables as suggested by > lartc.org > > and the whole copy of my above file is copied below:::>>> > > > # > # reserved values > # > #255 local > #254 main > #253 default > #0 unspec > # > # local > # > #1 inr.ruhep > > # > # below this is added by me and above this is by default > # two addational routing tables > > #ip route add 202.51.78.0/24 dev eth1 src ppp0 table T1 > #ip route add default via ppp0 table T1 > ip route add 203.78.165.0/24 dev eth2 src 203.78.165.154 table T2 > ip route add default via 203.78.165.153 table T2 > > # main routing table > > *ip route add 202.51.78.0/24 dev eth1 src ppp0 > ip route add 203.78.165.0/24 dev src 203.78.165.154 > > # preference for default route > > ip route add default via 202.51.76.122 > > # routing rules > > ip rule add from ppp0 table T1 > ip rule add from 203.78.165.154 table T2 > > # entries for local network > > ip route add 172.16.100.0/24 dev eth0 table T1 > ip route add 203.78.165.0/24 dev eth2 table T1 > ip route add 127.0.0.0/8 dev lo table T1 > ip route add 172.16.100.0/24 dev eth0 table T2 > ip route add 202.51.78.0/24 dev eth1 table T2 > ip route add 127.0.0.0/8 dev lo table T2 > > #load balancing > ip route add default scope global nexthop via ppp0 dev eth1 weight 1 > nexthop via 203.78.165.153 dev eth2 weight 1 > > this above one is the full and exact copy of my working....* > > * > > > > > Indunil Jayasooriya < indunil75@gmail.com>* > > wrote: > > > > On 8/21/07, *mangal regmi* wrote: > > Hi to all > i think this is not a new problem for this forum....but its newest for me > as i m a new linux lerner. Even if it is new plzz....reply me ur answer..n > if its already asked n have solution..plzz forward the solution. My problem > is here mentioned: > I have fedora core 4 as a linux server. there r two external links > connected to this. > > > I there are 2 external links, What is the file */etc/sysconfig/network*like? > > Can you witre down the file? > > > > the settings are as: eth0 ->for internal (that is for LAN) > eth2 ->dsl connection > eth1 ->cable line connection( this connection > has no gateway and netmask address provided so this is connected via ppp0. > this is provided from ISP via DHCP but have the fixed ipaddress) Hey, What > is this FIXED ip address? Is it a perment address? > > > > YOUR eth0 of Fedora Server is for internal (that is for LAN) > YOUR eth2 of Fedora Server is connected to the dsl connection. > YOUR eth1 of Fedora Server is connected to the cable line connection. It > has a ip. > > i want to use these two link to provide the internet in my LAN where > there are about 8 to 10 computers. i want that if any of the link goes down > ...the other should continue the internet ...n also while both the links r > up..the load should be shared between these two links....so that the net > conection and downloads be faster.... > > i have heard about the scripts....that can do this....but i have no idea > how to write these...scripts. i need these to be on after reboot also... > > > To come up the script after the reboot, There are two ways. Either you > have to write everytning IN /etc/rc.d/rc.local or write the script as a > seperate file and and make it executable by using chmod. > > Pls see bellow. > > first create the file as follows. > > *touch /etc/rc.d/loadbalancing* > > then , By using vi editor write the script and save it as usual. Then , > Make it executable as follows. > * > chmod 755 /etc/rc.d/loadbalancing > > *and finally add PATH OF THE SCRIPT to /etc/rc.d/rc.local file as follows. > * > > etc/rc.d/loadbalancing* > * > *That's it. Now, whenever you reboot the system, the scripts also comes up > with the system. > > > > i tried my best and i also refered the lartc.org ..but i could do a little > only. > > WHAT I DID: it works very well if i connect both of the links and the > default path is via ppp0. but suppose if that is(ppp0) disconnected then > the dsl connection can handle only upto 15/16 seconds. after that it > disconnects . whats the solution ...plzz...as..soon > as..possible...help..me...i m in big trouble.... > UR SMALL HELP WILL BE A BIG BOON FOR ME > > > > COULD YOU PLS write down your RULES . then, I will be able to help you. > > > > Remember that i don't have gateway and netmask of eth1 connection. it has > ip address only.it is NATed via ppp0. and also my all working are based on > lartc.org only...in case of dsl connection i have just replaced the ip and > gateways with my ip and gateways....n in case of ppp0 conection i have put > ppp0 in the place of gateway n netmask and in place of ip i have given the > ip of that link. > > > The above paragraph is not so clear. > > > > THANKS IN ADVANCE > ------------------------------ > > Luggage? GPS? Comic books? > Check out fitting gifts for grads > at > Yahoo! Search. > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > -- > Thank you > Indunil Jayasooriya > > > > ------------------------------ > > Choose the right car based on your needs. Check out Yahoo! Autos new Car > Finder tool. > > > > > -- > Thank you > Indunil Jayasooriya > -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070822/e25db2af/attachment-0001.htm From sting at bloodwolf.org Wed Aug 22 08:32:18 2007 From: sting at bloodwolf.org (sting) Date: Wed Aug 22 08:35:51 2007 Subject: [LARTC] simple tbf rate clamping issues Message-ID: <46CBD872.6060307@bloodwolf.org> Hello, I was attempting to throttle egress traffic to a specific rate using a tbf. As a starting point I used an example from the LARTC howto, which goes: tc qdisc add dev eth1 root tbf rate 220kbit latency 50ms burst 1540 I then attempt a large fetch from another machine via wget (~40 megs) and the rate was clamped down to about 12Kbytes/s. As this seemed too much, I gradually increased the latency up to 200ms which then gave me the expected results (~34Kbytes/s). I then applied this queuing discipline on a machine acting as a gateway/router for a few VLANed subnets. The tbf was applied on interface eth1.615. From another workstation I attempted a wget, and so the traffic had to go through the gateway/router. The download rate went from 16 Mbytes/s down to about 1.6 Mbytes/s, but was much much higher than what I'm trying to clamp it down to. Two questions: 1/ My main question. AFAIK, queuing disciplines affect egress traffic whether that traffic originates from the host or is being forwarded. Assuming that the fact the tbf is mostly meant to be applied to forwarded traffic is not an issue, *is there anything else that could cause the transfer rate not to be correctly clamped down?* What parameters should I be playing with? 2/ I'm assuming the first example I quoted must have worked as described when the HOWTO was initially written a few years ago. In any case, i am assuming with 50ms max latency outgoing packets could not be held long enough in the tbf and had to be droppd, correct? Thank you, sting From rabbit at rabbit.us Wed Aug 22 10:08:48 2007 From: rabbit at rabbit.us (Peter Rabbitson) Date: Wed Aug 22 10:09:07 2007 Subject: [LARTC] Policy routing question In-Reply-To: <46C0DB9D.3000104@rabbit.us> References: <46C0DB9D.3000104@rabbit.us> Message-ID: <46CBEF10.1080502@rabbit.us> No takers on this question? I investigated further and it seems that this is a specific problem with iputils-ping. It seems that regardless of the supplied interface name, the source IP is chosen to be closest t the default gateway. OTOH my ability to follow C code is next to minimal, and I would really appreciate if someone can confirm this. Here is the part I believe is relevant: if (source.sin_addr.s_addr == 0) { socklen_t alen; struct sockaddr_in dst = whereto; int probe_fd = socket(AF_INET, SOCK_DGRAM, 0); if (probe_fd < 0) { perror("socket"); exit(2); } if (device) { struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, device, IFNAMSIZ-1); if (setsockopt(probe_fd, SOL_SOCKET, SO_BINDTODEVICE, device, strlen(device)+1) == -1) { if (IN_MULTICAST(ntohl(dst.sin_addr.s_addr))) { struct ip_mreqn imr; if (ioctl(probe_fd, SIOCGIFINDEX, &ifr) < 0) { fprintf(stderr, "ping: unknown iface %s\n", device); exit(2); } memset(&imr, 0, sizeof(imr)); imr.imr_ifindex = ifr.ifr_ifindex; if (setsockopt(probe_fd, SOL_IP, IP_MULTICAST_IF, &imr, sizeof(imr)) == -1) { perror("ping: IP_MULTICAST_IF"); exit(2); } } } } if (settos && setsockopt(probe_fd, IPPROTO_IP, IP_TOS, (char *)&settos, sizeof(int)) < 0) perror("Warning: error setting QOS sockopts"); dst.sin_port = htons(1025); if (nroute) dst.sin_addr.s_addr = route[0]; if (connect(probe_fd, (struct sockaddr*)&dst, sizeof(dst)) == -1) { if (errno == EACCES) { if (broadcast_pings == 0) { fprintf(stderr, "Do you want to ping broadcast? Then -b\n"); exit(2); } fprintf(stderr, "WARNING: pinging broadcast address\n"); if (setsockopt(probe_fd, SOL_SOCKET, SO_BROADCAST, &broadcast_pings, sizeof(broadcast_pings)) < 0) { perror ("can't set broadcasting"); exit(2); } if (connect(probe_fd, (struct sockaddr*)&dst, sizeof(dst)) == -1) { perror("connect"); exit(2); } } else { perror("connect"); exit(2); } } alen = sizeof(source); if (getsockname(probe_fd, (struct sockaddr*)&source, &alen) == -1) { perror("getsockname"); exit(2); } source.sin_port = 0; close(probe_fd); } while (0); Peter Rabbitson wrote: > Hi, > > I have a testing multihome setup, with the default gateway being one of > the links and using policy routing to honor requests for a specific > link. Everything works as expected when I request a specific IP to bind > to. But if I request a specific interface things fall apart in ways that > I can not explain: > > default gw (WORKS) > ---------- > rabbit@Thesaurus:~$ ping -c 1 yahoo.com > PING yahoo.com (216.109.112.135) 56(84) bytes of data. > 64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=1 > ttl=48 time=142 ms > > > request IP on same link as default gw (WORKS) > ------------------------------------- > rabbit@Thesaurus:~$ ping -I 192.168.9.102 -c 1 yahoo.com > PING yahoo.com (66.94.234.13) from 192.168.9.102 : 56(84) bytes of data. > 64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=1 ttl=47 > time=176 ms > > request IP on secondary link (WORKS) > ---------------------------- > rabbit@Thesaurus:~$ ping -I 172.16.0.2 -c 1 yahoo.com > PING yahoo.com (216.109.112.135) from 172.16.0.2 : 56(84) bytes of data. > 64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=1 > ttl=47 time=146 ms > > request interface of default gw link (WORKS) > ------------------------------------ > rabbit@Thesaurus:~$ ping -I eth1 -c 1 yahoo.com > PING yahoo.com (66.94.234.13) from 192.168.9.102 eth1: 56(84) bytes of > data. > 64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=1 ttl=47 > time=176 ms > > request secondary interface (FAILS) > --------------------------- > rabbit@Thesaurus:~$ ping -I eth0 -c 1 yahoo.com > PING yahoo.com (216.109.112.135) from 192.168.9.102 eth0: 56(84) bytes > of data. > From 172.16.0.2 icmp_seq=1 Destination Host Unreachable > > > I went over the setup again and again, but I can't figure out why the > last ping attempt fails. Any pointers are welcome! > > Thanks > > Peter > > > Here is the setup: > > ip addr > ---------- > 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:11:09:8d:4f:c1 brd ff:ff:ff:ff:ff:ff > inet 172.16.0.2/24 brd 172.16.0.255 scope global eth0 > 3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:04:e2:80:b4:97 brd ff:ff:ff:ff:ff:ff > inet 192.168.9.102/24 brd 192.168.9.255 scope global eth1 > > > ip ro show table all > ----------------------- > default via 172.16.0.1 dev eth0 table 10 > default via 192.168.9.1 dev eth1 table 20 > default via 192.168.9.1 dev eth1 table default > 172.16.0.0/24 dev eth0 proto kernel scope link src 172.16.0.2 > 192.168.9.0/24 dev eth1 proto kernel scope link src 192.168.9.102 > broadcast 127.255.255.255 dev lo table local proto kernel scope link > src 127.0.0.1 > broadcast 192.168.9.0 dev eth1 table local proto kernel scope link > src 192.168.9.102 > broadcast 172.16.0.0 dev eth0 table local proto kernel scope link src > 172.16.0.2 > local 192.168.9.102 dev eth1 table local proto kernel scope host src > 192.168.9.102 > local 172.16.0.2 dev eth0 table local proto kernel scope host src > 172.16.0.2 > broadcast 192.168.9.255 dev eth1 table local proto kernel scope link > src 192.168.9.102 > broadcast 172.16.0.255 dev eth0 table local proto kernel scope link > src 172.16.0.2 > broadcast 127.0.0.0 dev lo table local proto kernel scope link src > 127.0.0.1 > local 127.0.0.1 dev lo table local proto kernel scope host src > 127.0.0.1 > local 127.0.0.0/8 dev lo table local proto kernel scope host src > 127.0.0.1 > > > ip ru > ----- > 0: from all lookup local > 5: from all lookup main > 10: from all iif eth0 lookup 10 > 11: from 172.16.0.0/24 lookup 10 > 20: from all iif eth1 lookup 20 > 21: from 192.168.9.0/24 lookup 20 > 100: from all lookup default > > > no netfilter rules of any sort (all policies set at ACCEPT) > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From ja at ssi.bg Wed Aug 22 10:15:53 2007 From: ja at ssi.bg (Julian Anastasov) Date: Wed Aug 22 10:14:36 2007 Subject: [LARTC] Rout looping through local host. In-Reply-To: <46CB0F32.7040206@riverviewtech.net> References: <46CB0F32.7040206@riverviewtech.net> Message-ID: Hello, On Tue, 21 Aug 2007, Grant Taylor wrote: > I want to be able to take traffic in from a local LAN on eth0 and route > it out eth1 to a default gateway with a static IP. I want said default > gateway with the static IP to be assigned to eth2. I then want to route > and masquerade traffic that came in eth2 out eth3. > > (Enter ASCII art) > > --------------+ > Context 0 | > +------+ +-----------+ > +---+ eth0 |------+ Local LAN | > | +------+ +-----------+ > | | > | +------+ > +---+ eth1 +---+ > +------+ | > | | > ==============|===|=== > Context 1 | | > +------+ | > +---+ eth2 +---+ > | +------+ > | | > | +------+ +----------+ > +---+ eth3 +------+ Internet | > +------+ +----------+ > | > --------------+ > > I want the ""router in context 0 to effectively (for the sake of > discussion) do basic static NAT routing for the local LAN. This router > will have two static IP addresses, LAN facing and upstream router facing. > > I want the ""router in context 1 to effectively (for the sake of > discussion) do basic MASQUERADing for the equipment behind it. This > router will have one static IP facing the LAN and one dynamic IP facing > its upstream provider. > > I have followed Julian Anastasov's directions > (http://www.ssi.bg/~ja/send-to-self.txt) and applied his Send-to-Self > patch (http://www.ssi.bg/~ja/send-to-self-2.6.22-1.diff) to a stock > 2.6.22 kernel and I am able to ping the IP address assigned to eth2 from > eth1 with out any problems. However I don't think Julian's patch covers > routing traffic through (not terminating at or originating locally) the > cross over cable. Yes, patch works for output routes only. May be you can try to forward traffic with ip rules with iif parameter. Make sure you have rules and routes for both directions. Of course, there must be some IP addresses because routes work only for devices with IPs. SNAT should be able to assign non-local external IP address, not possible for MASQUERADE, you have to use SNAT everywhere. That is, don't configure the SNAT addresses. Then you should not see local IPs in the traffic. Not sure for other pitfalls. Regards -- Julian Anastasov From salim.si at cipherium.com.tw Wed Aug 22 10:20:49 2007 From: salim.si at cipherium.com.tw (Salim S I) Date: Wed Aug 22 10:21:17 2007 Subject: [LARTC] Policy routing question In-Reply-To: <46CBEF10.1080502@rabbit.us> Message-ID: <000b01c7e495$5c45d950$6401a8c0@SalimSi> Older versions of ping does not support interface with I option. It won't give error, but it simply won't work. I had such an issue and was solved with the latest ping tool. Have you tried using tcpdump to capture packets from interfaces? -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Peter Rabbitson Sent: Wednesday, August 22, 2007 4:09 PM To: lartc@mailman.ds9a.nl Subject: Re: [LARTC] Policy routing question No takers on this question? I investigated further and it seems that this is a specific problem with iputils-ping. It seems that regardless of the supplied interface name, the source IP is chosen to be closest t the default gateway. OTOH my ability to follow C code is next to minimal, and I would really appreciate if someone can confirm this. Here is the part I believe is relevant: if (source.sin_addr.s_addr == 0) { socklen_t alen; struct sockaddr_in dst = whereto; int probe_fd = socket(AF_INET, SOCK_DGRAM, 0); if (probe_fd < 0) { perror("socket"); exit(2); } if (device) { struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, device, IFNAMSIZ-1); if (setsockopt(probe_fd, SOL_SOCKET, SO_BINDTODEVICE, device, strlen(device)+1) == -1) { if (IN_MULTICAST(ntohl(dst.sin_addr.s_addr))) { struct ip_mreqn imr; if (ioctl(probe_fd, SIOCGIFINDEX, &ifr) < 0) { fprintf(stderr, "ping: unknown iface %s\n", device); exit(2); } memset(&imr, 0, sizeof(imr)); imr.imr_ifindex = ifr.ifr_ifindex; if (setsockopt(probe_fd, SOL_IP, IP_MULTICAST_IF, &imr, sizeof(imr)) == -1) { perror("ping: IP_MULTICAST_IF"); exit(2); } } } } if (settos && setsockopt(probe_fd, IPPROTO_IP, IP_TOS, (char *)&settos, sizeof(int)) < 0) perror("Warning: error setting QOS sockopts"); dst.sin_port = htons(1025); if (nroute) dst.sin_addr.s_addr = route[0]; if (connect(probe_fd, (struct sockaddr*)&dst, sizeof(dst)) == -1) { if (errno == EACCES) { if (broadcast_pings == 0) { fprintf(stderr, "Do you want to ping broadcast? Then -b\n"); exit(2); } fprintf(stderr, "WARNING: pinging broadcast address\n"); if (setsockopt(probe_fd, SOL_SOCKET, SO_BROADCAST, &broadcast_pings, sizeof(broadcast_pings)) < 0) { perror ("can't set broadcasting"); exit(2); } if (connect(probe_fd, (struct sockaddr*)&dst, sizeof(dst)) == -1) { perror("connect"); exit(2); } } else { perror("connect"); exit(2); } } alen = sizeof(source); if (getsockname(probe_fd, (struct sockaddr*)&source, &alen) == -1) { perror("getsockname"); exit(2); } source.sin_port = 0; close(probe_fd); } while (0); Peter Rabbitson wrote: > Hi, > > I have a testing multihome setup, with the default gateway being one of > the links and using policy routing to honor requests for a specific > link. Everything works as expected when I request a specific IP to bind > to. But if I request a specific interface things fall apart in ways that > I can not explain: > > default gw (WORKS) > ---------- > rabbit@Thesaurus:~$ ping -c 1 yahoo.com > PING yahoo.com (216.109.112.135) 56(84) bytes of data. > 64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=1 > ttl=48 time=142 ms > > > request IP on same link as default gw (WORKS) > ------------------------------------- > rabbit@Thesaurus:~$ ping -I 192.168.9.102 -c 1 yahoo.com > PING yahoo.com (66.94.234.13) from 192.168.9.102 : 56(84) bytes of data. > 64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=1 ttl=47 > time=176 ms > > request IP on secondary link (WORKS) > ---------------------------- > rabbit@Thesaurus:~$ ping -I 172.16.0.2 -c 1 yahoo.com > PING yahoo.com (216.109.112.135) from 172.16.0.2 : 56(84) bytes of data. > 64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=1 > ttl=47 time=146 ms > > request interface of default gw link (WORKS) > ------------------------------------ > rabbit@Thesaurus:~$ ping -I eth1 -c 1 yahoo.com > PING yahoo.com (66.94.234.13) from 192.168.9.102 eth1: 56(84) bytes of > data. > 64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=1 ttl=47 > time=176 ms > > request secondary interface (FAILS) > --------------------------- > rabbit@Thesaurus:~$ ping -I eth0 -c 1 yahoo.com > PING yahoo.com (216.109.112.135) from 192.168.9.102 eth0: 56(84) bytes > of data. > From 172.16.0.2 icmp_seq=1 Destination Host Unreachable > > > I went over the setup again and again, but I can't figure out why the > last ping attempt fails. Any pointers are welcome! > > Thanks > > Peter > > > Here is the setup: > > ip addr > ---------- > 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:11:09:8d:4f:c1 brd ff:ff:ff:ff:ff:ff > inet 172.16.0.2/24 brd 172.16.0.255 scope global eth0 > 3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:04:e2:80:b4:97 brd ff:ff:ff:ff:ff:ff > inet 192.168.9.102/24 brd 192.168.9.255 scope global eth1 > > > ip ro show table all > ----------------------- > default via 172.16.0.1 dev eth0 table 10 > default via 192.168.9.1 dev eth1 table 20 > default via 192.168.9.1 dev eth1 table default > 172.16.0.0/24 dev eth0 proto kernel scope link src 172.16.0.2 > 192.168.9.0/24 dev eth1 proto kernel scope link src 192.168.9.102 > broadcast 127.255.255.255 dev lo table local proto kernel scope link > src 127.0.0.1 > broadcast 192.168.9.0 dev eth1 table local proto kernel scope link > src 192.168.9.102 > broadcast 172.16.0.0 dev eth0 table local proto kernel scope link src > 172.16.0.2 > local 192.168.9.102 dev eth1 table local proto kernel scope host src > 192.168.9.102 > local 172.16.0.2 dev eth0 table local proto kernel scope host src > 172.16.0.2 > broadcast 192.168.9.255 dev eth1 table local proto kernel scope link > src 192.168.9.102 > broadcast 172.16.0.255 dev eth0 table local proto kernel scope link > src 172.16.0.2 > broadcast 127.0.0.0 dev lo table local proto kernel scope link src > 127.0.0.1 > local 127.0.0.1 dev lo table local proto kernel scope host src > 127.0.0.1 > local 127.0.0.0/8 dev lo table local proto kernel scope host src > 127.0.0.1 > > > ip ru > ----- > 0: from all lookup local > 5: from all lookup main > 10: from all iif eth0 lookup 10 > 11: from 172.16.0.0/24 lookup 10 > 20: from all iif eth1 lookup 20 > 21: from 192.168.9.0/24 lookup 20 > 100: from all lookup default > > > no netfilter rules of any sort (all policies set at ACCEPT) > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From bschenker at restechservices.net Wed Aug 22 13:07:42 2007 From: bschenker at restechservices.net (Bryan Schenker) Date: Wed Aug 22 13:07:55 2007 Subject: [LARTC] simple tbf rate clamping issues In-Reply-To: <20070822100006.ADBD140DB@outpost.ds9a.nl> References: <20070822100006.ADBD140DB@outpost.ds9a.nl> Message-ID: <416EC385-CEA7-439C-A763-DF1E982C3976@restechservices.net> My first guess would be vlans being a problem. I know at least for class based queuing disciplines on vlans, you have to take care to define filters that funnel traffic through a class by selecting 802.1q traffic on the real interface, not the vlan interface. I know traffic shaping does work on vlans with the class based queues because I use it every day. But all my tc statements are applied on a real physical interface and not the vlan interface; I could never get tc to work on vlan interfaces directly. Just a guess, but I bet you'd get the rate limiting you expect on your vlan by applying the tbf rate limit on interface eth1 instead of the vlan interface. If so, and if your goal is to rate limit by vlan, then you will likely need to go with a class based queueing discipline like htb and then define traffic filters to limit each vlan to the rate you wish. > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 21 Aug 2007 23:32:18 -0700 > From: sting > Subject: [LARTC] simple tbf rate clamping issues > To: LARTC@mailman.ds9a.nl > Message-ID: <46CBD872.6060307@bloodwolf.org> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Hello, > > I was attempting to throttle egress traffic to a specific rate using a > tbf. As a starting point I used an example from the LARTC howto, > which > goes: > > tc qdisc add dev eth1 root tbf rate 220kbit latency 50ms burst 1540 > > I then attempt a large fetch from another machine via wget (~40 megs) > and the rate was clamped down to about 12Kbytes/s. As this seemed too > much, I gradually increased the latency up to 200ms which then gave me > the expected results (~34Kbytes/s). > > I then applied this queuing discipline on a machine acting as a > gateway/router for a few VLANed subnets. The tbf was applied on > interface eth1.615. From another workstation I attempted a wget, > and so > the traffic had to go through the gateway/router. The download rate > went from 16 Mbytes/s down to about 1.6 Mbytes/s, but was much much > higher than what I'm trying to clamp it down to. > > Two questions: > 1/ My main question. AFAIK, queuing disciplines affect egress traffic > whether that traffic originates from the host or is being forwarded. > Assuming that the fact the tbf is mostly meant to be applied to > forwarded traffic is not an issue, *is there anything else that could > cause the transfer rate not to be correctly clamped down?* What > parameters should I be playing with? > > 2/ I'm assuming the first example I quoted must have worked as > described > when the HOWTO was initially written a few years ago. In any case, > i am > assuming with 50ms max latency outgoing packets could not be held long > enough in the tbf and had to be droppd, correct? > > Thank you, > sting > From pr-ml at reinhardtweb.de Wed Aug 22 13:24:21 2007 From: pr-ml at reinhardtweb.de (Patrick Reinhardt) Date: Wed Aug 22 13:20:01 2007 Subject: [LARTC] Limited number of bands in PRIO qdisc Message-ID: <200708221324.23380.pr-ml@reinhardtweb.de> Hello, is it possible that the number of bands for the PRIO qdisc is limited to 16? tc qdisc add dev $DEVICE root handle 1: prio bands 16 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 succeeds but tc qdisc add dev $DEVICE root handle 1: prio bands 17 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 returns: 'RTNETLINK answers: Invalid argument' Is there any possibility to raise the number of bands to a higher value? Thank you in advance. Patrick From vdautrem at ulb.ac.be Wed Aug 22 13:39:09 2007 From: vdautrem at ulb.ac.be (Vincent Dautremont) Date: Wed Aug 22 13:39:20 2007 Subject: [LARTC] Limited number of bands in PRIO qdisc In-Reply-To: <200708221324.23380.pr-ml@reinhardtweb.de> References: <200708221324.23380.pr-ml@reinhardtweb.de> Message-ID: I answer randomly but, perhaps you have to give 17 parameters as well for the priomap. you have only 16 of them in your second example. Vincent. Le 22 ao?t 07 ? 13:24, Patrick Reinhardt a ?crit : > Hello, > > is it possible that the number of bands for the PRIO qdisc is > limited to 16? > > tc qdisc add dev $DEVICE root handle 1: prio bands 16 priomap 1 2 2 > 2 1 2 0 0 > 1 1 1 1 1 1 1 1 > > succeeds but > > tc qdisc add dev $DEVICE root handle 1: prio bands 17 priomap 1 2 2 > 2 1 2 0 0 > 1 1 1 1 1 1 1 1 > > returns: 'RTNETLINK answers: Invalid argument' > > Is there any possibility to raise the number of bands to a higher > value? > > Thank you in advance. > > Patrick > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From sting at bloodwolf.org Wed Aug 22 20:01:59 2007 From: sting at bloodwolf.org (sting) Date: Wed Aug 22 20:02:35 2007 Subject: [LARTC] simple tbf rate clamping issues In-Reply-To: <416EC385-CEA7-439C-A763-DF1E982C3976@restechservices.net> References: <20070822100006.ADBD140DB@outpost.ds9a.nl> <416EC385-CEA7-439C-A763-DF1E982C3976@restechservices.net> Message-ID: <30228.159.153.138.98.1187805719.squirrel@www.bloodwolf.org> > My first guess would be vlans being a problem. I know at least for > class based queuing disciplines on vlans, you have to take care to > define filters that funnel traffic through a class by selecting > 802.1q traffic on the real interface, not the vlan interface. Wow, why would that be though? If the VLAN is simply presented as an interface, and the queuing disciplines work on an interface basis, what is it that breaks it? > I know traffic shaping does work on vlans with the class based queues > because I use it every day. But all my tc statements are applied on a > real physical interface and not the vlan interface; I could never get > tc to work on vlan interfaces directly. For what's it worth, I've been applying netem queuing disciplines to many different VLAN interfaces and have been getting exactly the expected results (the packet loss % is right on, etc). Could you think of anything different with a tbf that fails? > Just a guess, but I bet you'd get the rate limiting you expect on > your vlan by applying the tbf rate limit on interface eth1 instead of > the vlan interface. If so, and if your goal is to rate limit by vlan, > then you will likely need to go with a class based queueing > discipline like htb and then define traffic filters to limit each > vlan to the rate you wish. Yes the goal is to limit by VLAN. I will try what you suggested, i.e. limit the traffic on the physical interface instead and I'll report back. But I hope that won't be the solution! :) > > > > > > > > > >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Tue, 21 Aug 2007 23:32:18 -0700 >> From: sting >> Subject: [LARTC] simple tbf rate clamping issues >> To: LARTC@mailman.ds9a.nl >> Message-ID: <46CBD872.6060307@bloodwolf.org> >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed >> >> Hello, >> >> I was attempting to throttle egress traffic to a specific rate using a >> tbf. As a starting point I used an example from the LARTC howto, >> which >> goes: >> >> tc qdisc add dev eth1 root tbf rate 220kbit latency 50ms burst 1540 >> >> I then attempt a large fetch from another machine via wget (~40 megs) >> and the rate was clamped down to about 12Kbytes/s. As this seemed too >> much, I gradually increased the latency up to 200ms which then gave me >> the expected results (~34Kbytes/s). >> >> I then applied this queuing discipline on a machine acting as a >> gateway/router for a few VLANed subnets. The tbf was applied on >> interface eth1.615. From another workstation I attempted a wget, >> and so >> the traffic had to go through the gateway/router. The download rate >> went from 16 Mbytes/s down to about 1.6 Mbytes/s, but was much much >> higher than what I'm trying to clamp it down to. >> >> Two questions: >> 1/ My main question. AFAIK, queuing disciplines affect egress traffic >> whether that traffic originates from the host or is being forwarded. >> Assuming that the fact the tbf is mostly meant to be applied to >> forwarded traffic is not an issue, *is there anything else that could >> cause the transfer rate not to be correctly clamped down?* What >> parameters should I be playing with? >> >> 2/ I'm assuming the first example I quoted must have worked as >> described >> when the HOWTO was initially written a few years ago. In any case, >> i am >> assuming with 50ms max latency outgoing packets could not be held long >> enough in the tbf and had to be droppd, correct? >> >> Thank you, >> sting >> > > From sting at bloodwolf.org Wed Aug 22 20:55:19 2007 From: sting at bloodwolf.org (sting) Date: Wed Aug 22 20:55:42 2007 Subject: [LARTC] simple tbf rate clamping issues In-Reply-To: <30228.159.153.138.98.1187805719.squirrel@www.bloodwolf.org> References: <20070822100006.ADBD140DB@outpost.ds9a.nl> <416EC385-CEA7-439C-A763-DF1E982C3976@restechservices.net> <30228.159.153.138.98.1187805719.squirrel@www.bloodwolf.org> Message-ID: <31601.159.153.138.98.1187808919.squirrel@www.bloodwolf.org> So I did apply the tbf on the eth1 interface instead of the VLAN interface, and I saw the same results. Some rate limiting was definitely occuring, but not down to the rate (220kbit) I was expecting. It was still much higher (~1 Mbytes/s) with the unclamped rate being about 16 Mbytes/s. Has everyone else otherwise pretty much always obtained transfer rates to be clamped down to what they expected with the tbf? thanks. > >> My first guess would be vlans being a problem. I know at least for >> class based queuing disciplines on vlans, you have to take care to >> define filters that funnel traffic through a class by selecting >> 802.1q traffic on the real interface, not the vlan interface. > > Wow, why would that be though? If the VLAN is simply presented as an > interface, and the queuing disciplines work on an interface basis, what is > it that breaks it? > >> I know traffic shaping does work on vlans with the class based queues >> because I use it every day. But all my tc statements are applied on a >> real physical interface and not the vlan interface; I could never get >> tc to work on vlan interfaces directly. > > For what's it worth, I've been applying netem queuing disciplines to many > different VLAN interfaces and have been getting exactly the expected > results (the packet loss % is right on, etc). Could you think of anything > different with a tbf that fails? > >> Just a guess, but I bet you'd get the rate limiting you expect on >> your vlan by applying the tbf rate limit on interface eth1 instead of >> the vlan interface. If so, and if your goal is to rate limit by vlan, >> then you will likely need to go with a class based queueing >> discipline like htb and then define traffic filters to limit each >> vlan to the rate you wish. > > Yes the goal is to limit by VLAN. I will try what you suggested, i.e. > limit the traffic on the physical interface instead and I'll report back. > But I hope that won't be the solution! :) > > >> >> >> >> >> >> >> >> >> >>> ---------------------------------------------------------------------- >>> >>> Message: 1 >>> Date: Tue, 21 Aug 2007 23:32:18 -0700 >>> From: sting >>> Subject: [LARTC] simple tbf rate clamping issues >>> To: LARTC@mailman.ds9a.nl >>> Message-ID: <46CBD872.6060307@bloodwolf.org> >>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed >>> >>> Hello, >>> >>> I was attempting to throttle egress traffic to a specific rate using a >>> tbf. As a starting point I used an example from the LARTC howto, >>> which >>> goes: >>> >>> tc qdisc add dev eth1 root tbf rate 220kbit latency 50ms burst 1540 >>> >>> I then attempt a large fetch from another machine via wget (~40 megs) >>> and the rate was clamped down to about 12Kbytes/s. As this seemed too >>> much, I gradually increased the latency up to 200ms which then gave me >>> the expected results (~34Kbytes/s). >>> >>> I then applied this queuing discipline on a machine acting as a >>> gateway/router for a few VLANed subnets. The tbf was applied on >>> interface eth1.615. From another workstation I attempted a wget, >>> and so >>> the traffic had to go through the gateway/router. The download rate >>> went from 16 Mbytes/s down to about 1.6 Mbytes/s, but was much much >>> higher than what I'm trying to clamp it down to. >>> >>> Two questions: >>> 1/ My main question. AFAIK, queuing disciplines affect egress traffic >>> whether that traffic originates from the host or is being forwarded. >>> Assuming that the fact the tbf is mostly meant to be applied to >>> forwarded traffic is not an issue, *is there anything else that could >>> cause the transfer rate not to be correctly clamped down?* What >>> parameters should I be playing with? >>> >>> 2/ I'm assuming the first example I quoted must have worked as >>> described >>> when the HOWTO was initially written a few years ago. In any case, >>> i am >>> assuming with 50ms max latency outgoing packets could not be held long >>> enough in the tbf and had to be droppd, correct? >>> >>> Thank you, >>> sting >>> >> >> > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From lists at andyfurniss.entadsl.com Wed Aug 22 21:23:55 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Wed Aug 22 21:23:58 2007 Subject: [LARTC] HTB tree is too deep In-Reply-To: <46C47905.1050201@argontech.net> References: <46C47905.1050201@argontech.net> Message-ID: <46CC8D4B.5020705@andyfurniss.entadsl.com> Marco C. Coelho wrote: > I've got a linux (2.6.18-8.1.6.el5.centos.plus) router doing pppoe > termination and HTB rate limiting. > > the number of connections has grown quite a bit in the last few months, > and I'm now getting a: > > HTB tree is too deep > > message on the monitor. > > where is the setting for max depth? There is a define in both the kernel and iproute2's copy of the headers - I don't know if you need to do both and recompile both kernel and tc. include/linux/pkt_sched.h:#define TC_HTB_MAXDEPTH 8 Andy. From lists at andyfurniss.entadsl.com Wed Aug 22 21:27:52 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Wed Aug 22 21:27:45 2007 Subject: [LARTC] Limited number of bands in PRIO qdisc In-Reply-To: <200708221324.23380.pr-ml@reinhardtweb.de> References: <200708221324.23380.pr-ml@reinhardtweb.de> Message-ID: <46CC8E38.1010605@andyfurniss.entadsl.com> Patrick Reinhardt wrote: > Hello, > > is it possible that the number of bands for the PRIO qdisc is limited to 16? > > tc qdisc add dev $DEVICE root handle 1: prio bands 16 priomap 1 2 2 2 1 2 0 0 > 1 1 1 1 1 1 1 1 > > succeeds but > > tc qdisc add dev $DEVICE root handle 1: prio bands 17 priomap 1 2 2 2 1 2 0 0 > 1 1 1 1 1 1 1 1 > > returns: 'RTNETLINK answers: Invalid argument' > > Is there any possibility to raise the number of bands to a higher value? > > Thank you in advance. I got a better error message than that - "priomap" index > TC_PRIO_MAX=15 Greping for TC_PRIO_MAX shows it's in both kernel and iproute2's copy of the headers - I don't know if you need to do both or not - but I would and recompile kernel and tc /include/linux/pkt_sched.h:#define TC_PRIO_MAX 15 Andy. From bschenker at restechservices.net Wed Aug 22 21:53:40 2007 From: bschenker at restechservices.net (Bryan Schenker) Date: Wed Aug 22 21:53:47 2007 Subject: [LARTC] simple tbf rate clamping issues In-Reply-To: <30228.159.153.138.98.1187805719.squirrel@www.bloodwolf.org> References: <20070822100006.ADBD140DB@outpost.ds9a.nl> <416EC385-CEA7-439C-A763-DF1E982C3976@restechservices.net> <30228.159.153.138.98.1187805719.squirrel@www.bloodwolf.org> Message-ID: <1187812420.5422.133.camel@antipothe> On Wed, 2007-08-22 at 14:01 -0400, sting wrote: > > My first guess would be vlans being a problem. I know at least for > > class based queuing disciplines on vlans, you have to take care to > > define filters that funnel traffic through a class by selecting > > 802.1q traffic on the real interface, not the vlan interface. > > Wow, why would that be though? If the VLAN is simply presented as an > interface, and the queuing disciplines work on an interface basis, what is > it that breaks it? > It can depend on where tc hooks into the network stack, where vlan headers get messed with, hooked in, etc. I'm no hacker here, but I suspect that it can depend on whether your network card is handling some of the vlan tagging work or if it's being handled by the OS somewhere. I have noticed different behavior with different network cards. #on one server i use... /sbin/tc filter add dev eth1 protocol ip prio 2 parent 1: [insert appropriate filter statement here] flowid 1:123 #on another server I use (same kernel, just different NIC )... /sbin/tc filter add dev eth1 protocol 802.1q prio 2 parent 1: [insert appropriate filter statement here] flowid 1:123 Adding vlan information can change where some data is kept in a packet. Can't explain in exact detail why I ran into problems, just what I've discovered. > > I know traffic shaping does work on vlans with the class based queues > > because I use it every day. But all my tc statements are applied on a > > real physical interface and not the vlan interface; I could never get > > tc to work on vlan interfaces directly. > > For what's it worth, I've been applying netem queuing disciplines to many > different VLAN interfaces and have been getting exactly the expected > results (the packet loss % is right on, etc). Could you think of anything > different with a tbf that fails? > Not sure on that one. tbf does have a lot of "nobs" to turn in its configuration, though, and I've not used netem. > > Just a guess, but I bet you'd get the rate limiting you expect on > > your vlan by applying the tbf rate limit on interface eth1 instead of > > the vlan interface. If so, and if your goal is to rate limit by vlan, > > then you will likely need to go with a class based queueing > > discipline like htb and then define traffic filters to limit each > > vlan to the rate you wish. > > Yes the goal is to limit by VLAN. I will try what you suggested, i.e. > limit the traffic on the physical interface instead and I'll report back. > But I hope that won't be the solution! :) > Limiting on the physical interface will allow you to group vlans under a common rate limit. Can be useful. > > > > > > > > > > > > > > > > > > > > >> ---------------------------------------------------------------------- > >> > >> Message: 1 > >> Date: Tue, 21 Aug 2007 23:32:18 -0700 > >> From: sting > >> Subject: [LARTC] simple tbf rate clamping issues > >> To: LARTC@mailman.ds9a.nl > >> Message-ID: <46CBD872.6060307@bloodwolf.org> > >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed > >> > >> Hello, > >> > >> I was attempting to throttle egress traffic to a specific rate using a > >> tbf. As a starting point I used an example from the LARTC howto, > >> which > >> goes: > >> > >> tc qdisc add dev eth1 root tbf rate 220kbit latency 50ms burst 1540 > >> > >> I then attempt a large fetch from another machine via wget (~40 megs) > >> and the rate was clamped down to about 12Kbytes/s. As this seemed too > >> much, I gradually increased the latency up to 200ms which then gave me > >> the expected results (~34Kbytes/s). > >> > >> I then applied this queuing discipline on a machine acting as a > >> gateway/router for a few VLANed subnets. The tbf was applied on > >> interface eth1.615. From another workstation I attempted a wget, > >> and so > >> the traffic had to go through the gateway/router. The download rate > >> went from 16 Mbytes/s down to about 1.6 Mbytes/s, but was much much > >> higher than what I'm trying to clamp it down to. > >> > >> Two questions: > >> 1/ My main question. AFAIK, queuing disciplines affect egress traffic > >> whether that traffic originates from the host or is being forwarded. > >> Assuming that the fact the tbf is mostly meant to be applied to > >> forwarded traffic is not an issue, *is there anything else that could > >> cause the transfer rate not to be correctly clamped down?* What > >> parameters should I be playing with? > >> > >> 2/ I'm assuming the first example I quoted must have worked as > >> described > >> when the HOWTO was initially written a few years ago. In any case, > >> i am > >> assuming with 50ms max latency outgoing packets could not be held long > >> enough in the tbf and had to be droppd, correct? > >> > >> Thank you, > >> sting > >> > > > > > > -- Bryan Schenker Director ResTech Services www.restechservices.net 608-663-3868 From bschenker at restechservices.net Wed Aug 22 22:15:55 2007 From: bschenker at restechservices.net (Bryan Schenker) Date: Wed Aug 22 22:15:59 2007 Subject: [LARTC] simple tbf rate clamping issues In-Reply-To: <31601.159.153.138.98.1187808919.squirrel@www.bloodwolf.org> References: <20070822100006.ADBD140DB@outpost.ds9a.nl> <416EC385-CEA7-439C-A763-DF1E982C3976@restechservices.net> <30228.159.153.138.98.1187805719.squirrel@www.bloodwolf.org> <31601.159.153.138.98.1187808919.squirrel@www.bloodwolf.org> Message-ID: <1187813755.5422.148.camel@antipothe> try this: #makes sure you've deleted anything old #you might wanna try running /sbin/tc -s qdisc show dev eth1 to verify your current config. #deletes all qdisc stuff just in case /sbin/tc qdisc del dev eth1 root #define root qdisc /sbin/tc qdisc add dev eth1 root handle 1: htb default 2 #define the default rate class--where everything goes that doesn't match one of your filters /sbin/tc class add dev eth1 parent 1:1 classid 1:2 htb prio 2 rate 1000kbit ceil 1000kbit burst 15k #define the rate you wish to limit the vlan to /sbin/tc class add dev eth1 parent 1:1 classid 1:20 htb prio 2 rate 220kbit burst 15k #now create the filter that puts traffic from that vlan into class 20. 1.2.3.4/24 is a range of IPs, but the filter capabilities are extraordinarily capable if you need to classify traffic some other way. Try replacing "802.1q" with "ip" if it doesn't work /sbin/tc filter add dev eth1 protocol 802.1q prio 2 parent 1: match ip dst 1.2.3.4/24 flowid 1:20 #now run the following command--very useful to confirm traffic is matching your filters since it will tell you how many packets match each filter rule you make: tc -s filter show dev eth1 On Wed, 2007-08-22 at 14:55 -0400, sting wrote: > So I did apply the tbf on the eth1 interface instead of the VLAN > interface, and I saw the same results. Some rate limiting was definitely > occuring, but not down to the rate (220kbit) I was expecting. It was > still much higher (~1 Mbytes/s) with the unclamped rate being about 16 > Mbytes/s. > > Has everyone else otherwise pretty much always obtained transfer rates to > be clamped down to what they expected wir that puts traffic from that vlan into class 20 /sbin/tc filter add dev eth1 protocol 802.1q prio 2 parent 1: ip src 1.2.3.0/24 flowid 1:69 th the tbf? > > thanks. > > > > >> My first guess would be vlans being a problem. I know at least for > >> class based queuing disciplines on vlans, you have to take care to > >> define filters that funnel traffic through a class by selecting > >> 802.1q traffic on the real interface, not the vlan interface. > > > > Wow, why would that be though? If the VLAN is simply presented as an > > interface, and the queuing disciplines work on an interface basis, what is > > it that breaks it? > > > >> I know traffic shaping does work on vlans with the class based queues > >> because I use it every day. But all my tc statements are applied on a > >> real physical interface and not the vlan interface; I could never get > >> tc to work on vlan interfaces directly. > > > > For what's it worth, I've been applying netem queuing disciplines to many > > different VLAN interfaces and have been getting exactly the expected > > results (the packet loss % is right on, etc). Could you think of anything > > different with a tbf that fails? > > > >> Just a guess, but I bet you'd get the rate limiting you expect on > >> your vlan by applying the tbf rate limit on interface eth1 instead of > >> the vlan interface. If so, and if your goal is to rate limit by vlan, > >> then you will likely need to go with a class based queueing > >> discipline like htb and then define traffic filters to limit each > >> vlan to the rate you wish. > > > > Yes the goal is to limit by VLAN. I will try what you suggested, i.e. > > limit the traffic on the physical interface instead and I'll report back. > > But I hope that won't be the solution! :) > > > > > >> > >> > >> > >> > >> > >> > >> > >> > >> > >>> ---------------------------------------------------------------------- > >>> > >>> Message: 1 > >>> Date: Tue, 21 Aug 2007 23:32:18 -0700 > >>> From: sting > >>> Subject: [LARTC] simple tbf rate clamping issues > >>> To: LARTC@mailman.ds9a.nl > >>> Message-ID: <46CBD872.6060307@bloodwolf.org> > >>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed > >>> > >>> Hello, > >>> > >>> I was attempting to throttle egress traffic to a specific rate using a > >>> tbf. As a starting point I used an example from the LARTC howto, > >>> which > >>> goes: > >>> > >>> tc qdisc add dev eth1 root tbf rate 220kbit latency 50ms burst 1540 > >>> > >>> I then attempt a large fetch from another machine via wget (~40 megs) > >>> and the rate was clamped down to about 12Kbytes/s. As this seemed too > >>> much, I gradually increased the latency up to 200ms which then gave me > >>> the expected results (~34Kbytes/s). > >>> > >>> I then applied this queuing discipline on a machine acting as a > >>> gateway/router for a few VLANed subnets. The tbf was applied on > >>> interface eth1.615. From another workstation I attempted a wget, > >>> and so > >>> the traffic had to go through the gateway/router. The download rate > >>> went from 16 Mbytes/s down to about 1.6 Mbytes/s, but was much much > >>> higher than what I'm trying to clamp it down to. > >>> > >>> Two questions: > >>> 1/ My main question. AFAIK, queuing disciplines affect egress traffic > >>> whether that traffic originates from the host or is being forwarded. > >>> Assuming that the fact the tbf is mostly meant to be applied to > >>> forwarded traffic is not an issue, *is there anything else that could > >>> cause the transfer rate not to be correctly clamped down?* What > >>> parameters should I be playing with? > >>> > >>> 2/ I'm assuming the first example I quoted must have worked as > >>> described > >>> when the HOWTO was initially written a few years ago. In any case, > >>> i am > >>> assuming with 50ms max latency outgoing packets could not be held long > >>> enough in the tbf and had to be droppd, correct? > >>> > >>> Thank you, > >>> sting > >>> > >> > >> > > > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > -- Bryan Schenker Director ResTech Services www.restechservices.net 608-663-3868 From lists at andyfurniss.entadsl.com Thu Aug 23 01:13:12 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Thu Aug 23 01:16:04 2007 Subject: [LARTC] simple tbf rate clamping issues In-Reply-To: <46CBD872.6060307@bloodwolf.org> References: <46CBD872.6060307@bloodwolf.org> Message-ID: <46CCC308.10709@andyfurniss.entadsl.com> sting wrote: > Hello, > > I was attempting to throttle egress traffic to a specific rate using a > tbf. As a starting point I used an example from the LARTC howto, which > goes: > > tc qdisc add dev eth1 root tbf rate 220kbit latency 50ms burst 1540 It's not the best example as latency is a way of setting buffer length(limit) and 50ms @ 220kbit is < 1500 bytes. If you set < 1514/1518 explicitly with limit you would not pass bulk packets at all. I guess it rounds it up a bit if you use latency. > > I then attempt a large fetch from another machine via wget (~40 megs) > and the rate was clamped down to about 12Kbytes/s. As this seemed too > much, I gradually increased the latency up to 200ms which then gave me > the expected results (~34Kbytes/s). I would expect that, tcp doesn't like one packet/short buffers, and it's even worse on a lan than a wan as (linux?)tcp behaves differently when it detects low latenccy. > > I then applied this queuing discipline on a machine acting as a > gateway/router for a few VLANed subnets. The tbf was applied on > interface eth1.615. From another workstation I attempted a wget, and so > the traffic had to go through the gateway/router. The download rate > went from 16 Mbytes/s down to about 1.6 Mbytes/s, but was much much > higher than what I'm trying to clamp it down to. I just tested a tbf on a vlan and it seems OK - if you see 1.6 Mbytes and tbf is 220kbit maybe you are shaping in the wrong direction and just getting the acks? (OK I am just guessing here) What does tc -s qdisc ls dev eth1.615 say? > > Two questions: > 1/ My main question. AFAIK, queuing disciplines affect egress traffic > whether that traffic originates from the host or is being forwarded. > Assuming that the fact the tbf is mostly meant to be applied to > forwarded traffic is not an issue, *is there anything else that could > cause the transfer rate not to be correctly clamped down?* What > parameters should I be playing with? One possible difference, though it's probably not your problem. If you have a nic that does tcp segmentation offload, then locally generated traffic may go through as supersize "packets" which makes htb go over rate. I am not sure what tbf would do - maybe just drop them if the buffer is not long enough. > > 2/ I'm assuming the first example I quoted must have worked as described > when the HOWTO was initially written a few years ago. In any case, i am > assuming with 50ms max latency outgoing packets could not be held long > enough in the tbf and had to be droppd, correct? Yep, also that example was on a ppp wan IIRC. If you put anything on the root of eth/vlan you need to remember that you are going to be catching arp aswell as ip traffic. Andy. From lists at andyfurniss.entadsl.com Thu Aug 23 01:24:03 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Thu Aug 23 01:23:59 2007 Subject: [LARTC] How to see the sfq hash table ? In-Reply-To: <46C45125.4030602@boreham.org> References: <46C45125.4030602@boreham.org> Message-ID: <46CCC593.5090705@andyfurniss.entadsl.com> David Boreham wrote: > I'm grappling with a problem that looks like sfq is not working > (packets don't get fairly queued, they appear to be always > sent FIFO). My configuration appears to be correct. > The machine is running quite an old kernel and if I could > convince myself that the sfq code it has is just broken, I'd > spend the time to upgrade it. Is there any way to inspect or > dump the sfq hash table on a running machine ? I don't think so - I would use tcpdump, if you use perturb don't set it too low as it causes packet reordering. There is currently work going on to merge sfq/esfq and the hash will be jhash so should be better than the current one. Andy. From bugfood-ml at fatooh.org Thu Aug 23 06:15:31 2007 From: bugfood-ml at fatooh.org (Corey Hickey) Date: Thu Aug 23 06:15:43 2007 Subject: [LARTC] How to see the sfq hash table ? In-Reply-To: <46CCC593.5090705@andyfurniss.entadsl.com> References: <46C45125.4030602@boreham.org> <46CCC593.5090705@andyfurniss.entadsl.com> Message-ID: <46CD09E3.9050403@fatooh.org> Andy Furniss wrote: > David Boreham wrote: >> I'm grappling with a problem that looks like sfq is not working >> (packets don't get fairly queued, they appear to be always >> sent FIFO). My configuration appears to be correct. >> The machine is running quite an old kernel and if I could >> convince myself that the sfq code it has is just broken, I'd >> spend the time to upgrade it. Is there any way to inspect or >> dump the sfq hash table on a running machine ? > > I don't think so I don't know of any way either, though I will probably write one eventually for diagnostic use. > - I would use tcpdump, if you use perturb don't set it > too low as it causes packet reordering. A couple other notes: 1. SFQ won't do much unless it's attached to a rate limiting qdisc such as HTB, with a specified rate less than that of your Internet connection. 2. SFQ doesn't currently handle more than 128 concurrent flows (TCP connections, etc.), and I would expect the fairness to degrade sooner than that. I have been working on patches to address this, among other things. > There is currently work going on to merge sfq/esfq and the hash will be > jhash so should be better than the current one. My own role in that is taking forever, but I am indeed still working on it... -Corey From jaorani at gmail.com Thu Aug 23 11:11:13 2007 From: jaorani at gmail.com (Javier Ors) Date: Thu Aug 23 11:11:38 2007 Subject: [LARTC] Help about a QoS configuration Message-ID: Hi, I would like to make a QoS configuration on a linux based dsl router. It is for a server, so I want to shape outgoing traffic, incoming traffic should not be a problem as long as I have a quite assymetric connection. I would like to achieve the following goals: 1) To have one class (p2p) having all the available bandwith if there is no activity on other classes. 2) If another class (ftp server), starts to transmit, to take it all the available bandwith except for, say 20 KB/s, reserved for p2p. 3) If a third class (ssh, web), starts to transmit, again, to take all the available bandwith except for the 20KB/s for p2p and 40 KB/s for ftp. etc... I have an upload link that varies from 700kbit to 1000kbit depending on the negotiation of the line. I wouldn't like to artificially underlimit it to work properly, remember that I'm doing the shaping on the same router, on the real (nas0) interface, so in this case the speed of the interface is the speed of the link, and I think that it's shouldn't be necessary to slow down the upload speed... am I wrong? The case is that I have tried to achieve this goals with several configurations of htb, but none of them has worked as I expected. I set the rate of the p2p class to 20KB/s and a higer one for ftp (40KB/s for example), and also a higher priority. But when the ftp class begin to transmit, the p2p class still remains borrowing from the paren over 20KB/s while the ftp class is below its rate. I set the rate of the parent to 1000kbit. Is this behaviour normal? Is there any other way to achive the above goals? Thanks in advance for your help and your attention. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070823/05cae064/attachment.html From jonathan.gazeley at bristol.ac.uk Thu Aug 23 13:36:39 2007 From: jonathan.gazeley at bristol.ac.uk (Jonathan Gazeley) Date: Thu Aug 23 13:36:49 2007 Subject: [LARTC] Classful queuing solution Message-ID: <46CD7147.1090900@bristol.ac.uk> Dear all, I am trying to set up multi-user traffic control. In short, I want each user (each IP) to be hard limited to 128kbit download and 64kbit upload. On top of that, I want interactive traffic (ICMP, ACK packets, SSH, etc) to be prioritised to minimise latency. It sounds like it ought to be done with a classful qdisc but I don't really know what I'm doing. I think I want something like the following: root class (global limit 100mbit) | + 192.168.0.1 class - limit 128kbit | + priority 0: SSH, ICMP, ACK, etc | + priority 1: all other traffic | + 192.168.0.2 class - limit 128kbit | + etc ... and similarly for the uplink, but with a per-IP limit of 64kbit. I'm not sure if it's good to have ~250 classes for the IP addresses, and sub classes within those for the different priorities, or if all the traffic should be rate-limited by IP first, and then sorted into a handful of shared classes, to be dequeued. I have taken advice from this list for the past couple of weeks and I have a semi functional script now. However the latency suddenly jumps to >4000ms as soon as the user starts downloading. Also my script uses police rate to limit upload speed - but this is not particularly effective and also not really required, as the box is able to shape traffic in both directions. It is also a NAT box. Related, not but strictly to do with tc, is there any way of concisely and effectively logging connections between NATd users and external IPs? I need to be able to maintain a log which tells me that a certain user was connected to a certain remote host on a certain port at a certain time and date, for legal reasons. I realise this is a bit of a mammoth request, but I hope someone can help me. Many thanks in advance, Jonathan ------------------------ Jonathan Gazeley ResNet | Wireless & VPN Team Information Systems & Computing University of Bristol ------------------------ From pr-ml at reinhardtweb.de Thu Aug 23 15:48:10 2007 From: pr-ml at reinhardtweb.de (Patrick Reinhardt) Date: Thu Aug 23 15:48:23 2007 Subject: [LARTC] Limited number of bands in PRIO qdisc In-Reply-To: <46CC8E38.1010605@andyfurniss.entadsl.com> References: <200708221324.23380.pr-ml@reinhardtweb.de> <46CC8E38.1010605@andyfurniss.entadsl.com> Message-ID: <200708231548.10760.pr-ml@reinhardtweb.de> Hi! Am Mittwoch, 22. August 2007 21:27:52 schrieb Andy Furniss: > Patrick Reinhardt wrote: > > returns: 'RTNETLINK answers: Invalid argument' > I got a better error message than that - > > "priomap" index > TC_PRIO_MAX=15 > > Greping for TC_PRIO_MAX shows it's in both kernel and iproute2's copy of > the headers - I don't know if you need to do both or not - but I would > and recompile kernel and tc Thank you very much for this hint. Unfortunately my current idea would require about 1000 bands: To emulate a wireless network I have to assign a packet loss depending on the target IP address. The idea was to use a PRIO qdisc with n bands for n nodes and use filters to assign packets to the appropriate band depending on the target address. Since I am unsure about side-effects of an alteration of TC_PRIO_MAX to a signifficantly higher value, an alternative would be helpful. Thanks in advance. Patrick From justin at expertron.co.za Thu Aug 23 19:24:25 2007 From: justin at expertron.co.za (Justin Schoeman) Date: Thu Aug 23 19:24:36 2007 Subject: [LARTC] Traffic shaping questions and possible extensions Message-ID: <46CDC2C9.2040702@expertron.co.za> Hi, It has been quite a while since I looked at what was happening in Linux traffic shaping, so I am not sure if this has been discussed / improved on since I last looked. We use a traffic shaper based on HTB. The basic principals work fine, but we have a problem with 'intermittent trafic' like http and interactive ssh sessions. Each of these categories of traffic have their own class, and are allocated a certain 'guaranteed' rate. However, if other traffic is bursting into this bandwidth, we see that very often it takes so long for the other traffic to throttel back that the effective QoS is very bad. If we hard cap the other traffic to leave the guarantee open, then web and ssh access is very very good. So the problem seems to lie with getting other traffic to slow down quicker. Are there any current solutions/suggestions to working around this? If not, I have one possible solution, and I would appreciate any feedback on it: At the moment, if traffic cannot be sent immediately (there is no bandwidth available for it), then it is first queued, and if the queue gets too long, packets are dropped. This will slow down the sender, but relies on the expiry of TCP timers to acheive this. What I was thinking was that for bulk traffic that needs (and can tolerate aggresive throtling), instead of queueing the packet, keep a history of the last ACK packet sent, and resend it. The receiver will see this as a duplicate ack, and immediately enter a congestion avoidance algorithm, throtling the data. Is this feasible, or is it a Really Stupid Idea (TM)? Thanks! Justin From linux at arcoscom.com Fri Aug 24 01:11:35 2007 From: linux at arcoscom.com (ArcosCom Linux User) Date: Fri Aug 24 01:09:12 2007 Subject: [LARTC] tc filter using MASKs in mark Message-ID: <56909.84.123.239.158.1187910696.squirrel@www.arcoscom.com> Hi, I'm having a problem with filtering marked packet with tc. I'm trying to run this: /sbin/tc filter add dev imq0 parent 1:0 protocol ip prio 8 handle 0x7/0x000f fw classid 1:8 But the response is: Illegal "handle" Typing the handle without masked mark is working, but I have a configuration were I need 2 mark types and I'm using masks: Multiple outgoing interfaces (using 0xf000 mask to know the ip route filter to allow specific interface for the outcoming traffic). QoS (using 0x000f) to know the destination class for the flow. Perhaps I have an incorrect syntax typing the masked handle, but I don't find any information about how to type correctly the masked handle with "tc filter" and I'm trying an "ip analogous" syntax. The ip/tc utils versions I'm using are 2.6.20. Anybody could help me with this "syntax problem"? Thanks From indunil75 at gmail.com Fri Aug 24 10:48:54 2007 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Fri Aug 24 10:49:23 2007 Subject: [LARTC] subdivide 64 kbit bandwidth 32kbit for WWW and 32 Kbit for mail Message-ID: <7ed6b0aa0708240148t7d55e830ke1c7bcf63a4ce219@mail.gmail.com> Hi all, I've got a BOX running CentOS 4.5. It acts as a firewall + router. I have installed both iptables and iproute2. I has 3 network cards. eth0 is connected to Internet (is has an internet ip. pls assume its ip is 1.2.3.4/29). it is a 256 Kbit link. eth1 is DMZ. its ip is 192.168.100.254 eth2 is LAN. Its ip is 192.168.101.254 I have alreday shaped traffic to 64 Kbit on eth1 for downloadig (i.e DMZ zone ). This is the sript that does the job. It works ine. #traffic shaping on eth1 (Downloading) INTERFAZ_DMZ=eth1 FULLBANDWIDTH=256 BANDWIDTH4DMZ=64 tc qdisc del root dev $INTERFAZ_DMZ tc qdisc add dev $INTERFAZ_DMZ root handle 1: htb r2q 4 tc class add dev $INTERFAZ_DMZ parent 1: classid 1:2 htb rate "$FULLBANDWIDTH"Kbit tc class add dev $INTERFAZ_DMZ parent 1: classid 1:5 htb rate "$BANDWIDTH4DMZ"Kbit tc qdisc add dev $INTERFAZ_DMZ parent 1:5 handle 5: sfq perturb 10 tc filter add dev $INTERFAZ_DMZ parent 1: protocol ip prio 1 u32 match ip dst 192.168.100.0/24 classid 1:5 It has allocated 64 Kbit for downloading for the ip range of 192.168.100.0/24. (DMZ ZONE) Rememmber, this is a SNATed firewall. Now, What I nedd is to subdivide this 64 kbit bandwidth *32kbit for WWW and 32 Kbit for mail**. Can I subdivide in that way ? If divided , What will happen to other services such as ICMP, SSH, ACK etc ? *Then, How can I achieve this task? * I modfied the the above script . This is what it looks like after editing. *#traffic shaping on eth1 (Downloading) INTERFAZ_DMZ=eth1 FULLBANDWIDTH=256 BANDWIDTH4DMZ=64 tc qdisc del root dev $INTERFAZ_DMZ tc qdisc add dev $INTERFAZ_DMZ root handle 1: htb r2q 4 tc class add dev $INTERFAZ_DMZ parent 1: classid 1:2 htb rate "$FULLBANDWIDTH"Kbit tc class add dev $INTERFAZ_DMZ parent 1: classid 1:5 htb rate "$BANDWIDTH4DMZ"Kbit **tc class add dev $INTERFAZ_DMZ parent 1:5 classid 1:10 htb rate 32kbit tc class add dev $INTERFAZ_DMZ parent 1:5 classid 1:11 htb rate 32Kbit tc qdisc add dev $INTERFAZ_DMZ parent 1:10 handle 10: sfq perturb 10 tc qdisc add dev $INTERFAZ_DMZ parent 1:11 handle 11: sfq perturb 10 #192.168.100.3 is the BOX acts as a mail server and a proxyserver. tc filter add dev $INTERFAZ_DMZ parent 1: protocol ip prio 1 u32 match ip dst 192.168.100.0/24 classid 1:10 tc filter add dev $INTERFAZ_DMZ parent 1: protocol ip prio 1 u32 match ip dst 192.168.100.0/24 match ip dport 25 classid 1:11 Pls let me know if it is Okay? or any better way to rewrite it? EXPECT YOUR COMMENTS. **** -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070824/21a82486/attachment.htm From b42-ml at srck.net Fri Aug 24 10:51:49 2007 From: b42-ml at srck.net (Martin Milata) Date: Fri Aug 24 10:54:04 2007 Subject: [LARTC] tc filter using MASKs in mark In-Reply-To: <56909.84.123.239.158.1187910696.squirrel@www.arcoscom.com> References: <56909.84.123.239.158.1187910696.squirrel@www.arcoscom.com> Message-ID: <20070824085149.GC15726@nyx> On Fri, Aug 24, 2007 at 01:11:35AM +0200, ArcosCom Linux User wrote: > Hi, > I'm having a problem with filtering marked packet with tc. > > I'm trying to run this: > > /sbin/tc filter add dev imq0 parent 1:0 protocol ip prio 8 handle > 0x7/0x000f fw classid 1:8 > > But the response is: > > Illegal "handle" > > > Typing the handle without masked mark is working, but I have a > configuration were I need 2 mark types and I'm using masks: > Multiple outgoing interfaces (using 0xf000 mask to know the ip route > filter to allow specific interface for the outcoming traffic). > QoS (using 0x000f) to know the destination class for the flow. > > Perhaps I have an incorrect syntax typing the masked handle, but I don't > find any information about how to type correctly the masked handle with > "tc filter" and I'm trying an "ip analogous" syntax. > > The ip/tc utils versions I'm using are 2.6.20. > > Anybody could help me with this "syntax problem"? > > Thanks I think the fw classifier does not support masks. However, you can also use u32 filter to match marks, and it does support matching with mask. AFAIK, the support for matching marks have to be enabled in the kernel. CONFIG_CLS_U32_MARK=y And the syntax is like this: tc filter add dev imq0 protocol ip prio 8 parent 1:0 u32 match mark \ 0x7 0x000f flowid 1:8 Regards, -MM From linux at arcoscom.com Fri Aug 24 11:23:55 2007 From: linux at arcoscom.com (ArcosCom Linux User) Date: Fri Aug 24 11:21:31 2007 Subject: [LARTC] tc filter using MASKs in mark In-Reply-To: <20070824085149.GC15726@nyx> References: <56909.84.123.239.158.1187910696.squirrel@www.arcoscom.com> <20070824085149.GC15726@nyx> Message-ID: <33427.195.55.244.106.1187947435.squirrel@www.arcoscom.com> Thanks Martin. ?This FLAG is available with 2.6.18 kernel version? I'm using a distro kernel and is as stable that I don't want to upgrade it. Thanks again. Regards El Vie, 24 de Agosto de 2007, 10:51, Martin Milata escribi?: > On Fri, Aug 24, 2007 at 01:11:35AM +0200, ArcosCom Linux User wrote: >> Hi, >> I'm having a problem with filtering marked packet with tc. >> >> I'm trying to run this: >> >> /sbin/tc filter add dev imq0 parent 1:0 protocol ip prio 8 handle >> 0x7/0x000f fw classid 1:8 >> >> But the response is: >> >> Illegal "handle" >> >> >> Typing the handle without masked mark is working, but I have a >> configuration were I need 2 mark types and I'm using masks: >> Multiple outgoing interfaces (using 0xf000 mask to know the ip route >> filter to allow specific interface for the outcoming traffic). >> QoS (using 0x000f) to know the destination class for the flow. >> >> Perhaps I have an incorrect syntax typing the masked handle, but I don't >> find any information about how to type correctly the masked handle with >> "tc filter" and I'm trying an "ip analogous" syntax. >> >> The ip/tc utils versions I'm using are 2.6.20. >> >> Anybody could help me with this "syntax problem"? >> >> Thanks > > I think the fw classifier does not support masks. However, you can also > use u32 filter to match marks, and it does support matching with mask. > AFAIK, the support for matching marks have to be enabled in the kernel. > > CONFIG_CLS_U32_MARK=y > > And the syntax is like this: > > tc filter add dev imq0 protocol ip prio 8 parent 1:0 u32 match mark \ > 0x7 0x000f flowid 1:8 > > Regards, > -MM > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From linux at arcoscom.com Fri Aug 24 11:28:50 2007 From: linux at arcoscom.com (ArcosCom Linux User) Date: Fri Aug 24 11:26:24 2007 Subject: [LARTC] tc filter using MASKs in mark In-Reply-To: <33427.195.55.244.106.1187947435.squirrel@www.arcoscom.com> References: <56909.84.123.239.158.1187910696.squirrel@www.arcoscom.com> <20070824085149.GC15726@nyx> <33427.195.55.244.106.1187947435.squirrel@www.arcoscom.com> Message-ID: <53775.195.55.244.106.1187947730.squirrel@www.arcoscom.com> Answered by myself: $ cat config-2.6.18-8.1.8.1.el5_ArcosCom | grep "CLS_U32" CONFIG_NET_CLS_U32=m CONFIG_CLS_U32_PERF=y CONFIG_CLS_U32_MARK=y Thanks again. El Vie, 24 de Agosto de 2007, 11:23, ArcosCom Linux User escribi?: > Thanks Martin. > > ?This FLAG is available with 2.6.18 kernel version? > > I'm using a distro kernel and is as stable that I don't want to upgrade > it. > > Thanks again. > > Regards > > El Vie, 24 de Agosto de 2007, 10:51, Martin Milata escribi?: >> On Fri, Aug 24, 2007 at 01:11:35AM +0200, ArcosCom Linux User wrote: >>> Hi, >>> I'm having a problem with filtering marked packet with tc. >>> >>> I'm trying to run this: >>> >>> /sbin/tc filter add dev imq0 parent 1:0 protocol ip prio 8 handle >>> 0x7/0x000f fw classid 1:8 >>> >>> But the response is: >>> >>> Illegal "handle" >>> >>> >>> Typing the handle without masked mark is working, but I have a >>> configuration were I need 2 mark types and I'm using masks: >>> Multiple outgoing interfaces (using 0xf000 mask to know the ip route >>> filter to allow specific interface for the outcoming traffic). >>> QoS (using 0x000f) to know the destination class for the flow. >>> >>> Perhaps I have an incorrect syntax typing the masked handle, but I >>> don't >>> find any information about how to type correctly the masked handle with >>> "tc filter" and I'm trying an "ip analogous" syntax. >>> >>> The ip/tc utils versions I'm using are 2.6.20. >>> >>> Anybody could help me with this "syntax problem"? >>> >>> Thanks >> >> I think the fw classifier does not support masks. However, you can also >> use u32 filter to match marks, and it does support matching with mask. >> AFAIK, the support for matching marks have to be enabled in the kernel. >> >> CONFIG_CLS_U32_MARK=y >> >> And the syntax is like this: >> >> tc filter add dev imq0 protocol ip prio 8 parent 1:0 u32 match mark \ >> 0x7 0x000f flowid 1:8 >> >> Regards, >> -MM >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > From badis.tebbani at gmail.com Fri Aug 24 19:46:41 2007 From: badis.tebbani at gmail.com (TEBBANI BADIS) Date: Fri Aug 24 19:46:54 2007 Subject: [LARTC] rate used by one pattern tarffic Message-ID: Hi all, I use TC/HTB and iptables to schape and classify users of a WLAN. Is there a mean to get the amont of bandwidth used by one traffic in a particular class.ie, @ipsource + @ipdestination for example? Best regards, Ba.T -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070824/b16acd08/attachment.html From sricketts at maxentric.com Sat Aug 25 00:46:27 2007 From: sricketts at maxentric.com (Scott Ricketts) Date: Sat Aug 25 00:46:36 2007 Subject: [LARTC] Wireless Ad Hoc and TEQL Message-ID: <6d9073030708241546lcf21da0j1af8544d0b1098e@mail.gmail.com> I'm trying to follow Chapter 10 of the howto and apply it to two ubuntu machines each with two 802.11b/g interfaces. However, I cannot get a connection. I would like the 4 interfaces to create 2 ad hoc links on separate channels. I have set this up successfully with the following: /etc/dbus-1/event.d/25NetworkManager stop wlanconfig ath0 destroy wlanconfig ath0 create wlandev wifi0 wlanmode adhoc iwconfig ath0 essid 'adhoc0' iwconfig ath0 channel 1 iwconfig ath0 key 'password' ifconfig ath0 up ifconfig ath0 192.168.0.YYY ifconfig ath0 netmask 255.255.255.0 ifconfig ath0 broadcast 192.168.0.255 wlanconfig ath1 destroy wlanconfig ath1 create wlandev wifi1 wlanmode adhoc iwconfig ath1 essid 'adhoc1' iwconfig ath1 channel 11 iwconfig ath1 key 'password' ifconfig ath1 up ifconfig ath1 192.168.2.YYY ifconfig ath1 netmask 255.255.255.0 ifconfig ath1 broadcast 192.168.2.255 where YYY is 100 for host A and 101 for host B. Then I try modprobe sch_teql tc qdisc add dev ath0 root teql0 tc qdisc add dev ath1 root teql0 ip link set dev teql0 up ifconfig teql0 192.168.1.YYY After this step I cannot ping via any of {ath0, ath1, teql0}. I have tried renaming the devices to eth1 and eth2 via ip link set dev ath0 name eth1. I do this before the iwconfig commands above, but this does not help. I have also tried following the Chapter 10 instructions more loyally by using ip addr add dev instead of ifconfig to set up the IP addresses, but this did not work. After this step the ifconfig output does not reflect the changes that ip addr add dev was supposed to make. Any ideas? Thanks, Scott From janasamit at wlink.com.np Sun Aug 26 18:36:10 2007 From: janasamit at wlink.com.np (Samit) Date: Sun Aug 26 18:36:49 2007 Subject: [LARTC] Traffic shaping PPPoe encapsulated packet Message-ID: <46D1ABFA.1060901@wlink.com.np> Hi, I want a way to traffic shape pppoe encapsulated pkts based on its src/dst Ip address. Is there any way I can mark pppoe encapsulated pkts? Samit From rangi at ngen.net.nz Sun Aug 26 19:29:28 2007 From: rangi at ngen.net.nz (Rangi Biddle) Date: Sun Aug 26 19:29:50 2007 Subject: [LARTC] Dead Gateway Detection & BGP Message-ID: <00a101c7e806$adc89500$0959bf00$@net.nz> Greetings to all, To start I?ll firstly lay down the foundation to what I have done so far and if those of you on the list can provide further insight, tips, links etc. This scenario consists of 2 firewalls (both running Debian ?etch?), 2 Cisco routers (unsure of model numbers) connected together like so in the diagram below. ----------------------- | Uplink Provider | ----------------------- | | ----------------------- | | ------------------- -------------------- | Cisco Router | | Cisco Router | ------------------ -------------------- | | | | ------------------- -------------------- | Firewall 1 | | Firewall 2 | ------------------- -------------------- Initially, the first task I was designated was to setup BGP routing on 2 firewalls. Each firewall is connected to its own Cisco router provided by the uplink provider and the uplink provider is only providing a default gateway/router to each of the firewalls. Now, having had minimal experience with BGP (minimal in terms of the broadness of what is possible with BGP) and using the information provided by the uplink provider I have setup BGP. What I have been recently informed of is that the 2 firewalls must do some sort of failover between them when either of the default gateway?s are no longer responsive. I had initially looked into using heartbeat (which I am still considering) to do the failover or possibly using vrrpd (Virtual Router Redundancy Protocol Daemon). This however isn?t what I am contacting this list about. What I need to do at minimal, is at least for the failover, is to detect when the default gateway of (say) firewall 1 is no longer available and perform failover to firewall 2 and vice versa. As far as I am aware the only DGD support available is still through the patches that Julian Anastasov wrote for the 2.4 kernel series or by writing a script that uses arping to determine the last hop available. What other options are there? I have done a fair amount of searching the internet only to come back to these 2 possibilities. Surely there must be something else ?. Thanks in advance to anyone that replies as I know that this topic seems to be coming up more and more frequently on the lists and must be getting somewhat tedious for most. Regards, Rangi No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.484 / Virus Database: 269.12.8/973 - Release Date: 8/25/2007 5:00 PM -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070827/c4b7bcab/attachment.htm From abel.martin.ruiz at gmail.com Sun Aug 26 23:46:32 2007 From: abel.martin.ruiz at gmail.com (=?ISO-8859-1?Q?Abel_Mart=EDn?=) Date: Sun Aug 26 23:46:38 2007 Subject: [LARTC] CONFIG_IP_ROUTE_FWMARK missing Message-ID: <915136920708261446n2ea658d2r2c06ea6955056199@mail.gmail.com> Hi, Kernel option CONFIG_IP_ROUTE_FWMARK is missing in 2.6.20. Can you still route traffic based on marks as stated in chapter 11 of LARTC HOWTO? I read in the list that IPMark doesn't work either, so I thought it might be related. Thanks. From lartc at dervishd.net Mon Aug 27 00:14:07 2007 From: lartc at dervishd.net (DervishD) Date: Mon Aug 27 00:14:38 2007 Subject: [LARTC] HTB doesn't give me the promised rate: cpufreq? Message-ID: <20070826221407.GA1944@DervishD> Hi all :) I've been using a tc setup for almost two years, but at some point (probably when I switched to kernel 2.6.x, but I'm not sure) it has started making something very weird. For a certain class, the rate is 125000bit and the ceil is 270000bit, but the fastest rate I get is about 75-80000bit, instead of the "promised" 125000, *with no other traffic in the device*. If I disable tc entirely, the upload rate is more than 300000bit (a little below the line capacity, which is 320000bit), but as soon as tc is enabled again, the upload speed drops again to 75-80kbit. There is no other traffic on the device, really, it's just like if the htb couldn't queue packets fast enough :??? I've thought that the culprit may be cpufreq. I have cpufreq scaling activated, and cpufreq reduces the clock speed from 1800MHz to 1000MHz when the processor is idle. This is more or less the same amount that I "lose" in the rate. May this be the problem? How to fix without deactivating cpufreq? I'm using htb+sqf, and I can post here my tc setup if needed (is quite short), including the filters. It should be OK, since it has been working for almost two years. Right now I cannot disable cpufreq because temperature problems, and I cannot shut down the machine either, so I cannot test if cpufreq is the culprit, that's why I'm asking. I haven't found anything while googling, either. If anybody has any idea about this problem, please tell. Thanks a lot in advance :)) Ra?l N??ez de Arenas Coronado -- Linux Registered User 88736 | http://www.dervishd.net It's my PC and I'll cry if I want to... RAmen! From gtaylor at riverviewtech.net Mon Aug 27 16:42:50 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Mon Aug 27 16:40:40 2007 Subject: [LARTC] Dead Gateway Detection & BGP In-Reply-To: <00a101c7e806$adc89500$0959bf00$@net.nz> References: <00a101c7e806$adc89500$0959bf00$@net.nz> Message-ID: <46D2E2EA.3010803@riverviewtech.net> On 08/26/07 12:29, Rangi Biddle wrote: > Greetings to all, > > To start I?ll firstly lay down the foundation to what I have done so > far and if those of you on the list can provide further insight, > tips, links etc. > > This scenario consists of 2 firewalls (both running Debian ?etch?), 2 > Cisco routers (unsure of model numbers) connected together like so in > the diagram below. > > +-----------------+ > | Uplink Provider | > +--------+--------+ > | > +---------+---------+ > | | > +-------+-------+ +-------+-------+ > | Cisco Router | | Cisco Router | > +-------+-------+ +-------+-------+ > | | > +-------+-------+ +-------+-------+ > | Firewall # 1 | | Firewall # 2 | > +---------------+ +-------+-------+ > > Initially, the first task I was designated was to setup BGP routing > on 2 firewalls. Each firewall is connected to its own Cisco router > provided by the uplink provider and the uplink provider is only > providing a default gateway/router to each of the firewalls. Now, > having had minimal experience with BGP (minimal in terms of the > broadness of what is possible with BGP) and using the information > provided by the uplink provider I have setup BGP. > > What I have been recently informed of is that the 2 firewalls must do > some sort of failover between them when either of the default > gateway?s are no longer responsive. I had initially looked into > using heartbeat (which I am still considering) to do the failover or > possibly using vrrpd (Virtual Router Redundancy Protocol Daemon). > This however isn?t what I am contacting this list about. What I need > to do at minimal, is at least for the failover, is to detect when the > default gateway of (say) firewall 1 is no longer available and > perform failover to firewall 2 and vice versa. As far as I am aware > the only DGD support available is still through the patches that > Julian Anastasov wrote for the 2.4 kernel series or by writing a > script that uses arping to determine the last hop available. In my experience, Julian's DGD patch(s) are very good but not needed for your scenario. I have achieved a very similar scenario with a stock kernel. The main thing(s) that Julian's patches do is provide Dead Gateway Detection for (this is the key point) "non-default" routes while the kernel its self is capable to providing this for default routes. > What other options are there? Add two equal metric default routes in reverse priority. (It is my experience that the route command populates the routing table by pushing new routes on to the top to be read before other existing routes.) > I have done a fair amount of searching the internet only to come back > to these 2 possibilities. Surely there must be something else ?. Well, you are touching on some key points to what needs to be done, but there are still other things to be considered for a truly redundant scenario. > Thanks in advance to anyone that replies as I know that this topic > seems to be coming up more and more frequently on the lists and must > be getting somewhat tedious for most. You are welcome. Grant. . . . From gtaylor at riverviewtech.net Mon Aug 27 18:51:41 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Mon Aug 27 18:49:03 2007 Subject: [LARTC] Dead Gateway Detection & BGP In-Reply-To: <46D2E2EA.3010803@riverviewtech.net> References: <00a101c7e806$adc89500$0959bf00$@net.nz> <46D2E2EA.3010803@riverviewtech.net> Message-ID: <46D3011D.1050709@riverviewtech.net> After talking with a colleague on the ethics of this message I (/ we) decided that I needed to make the same offer to everyone on this mailing list that I privately made to Rangi Biddle. The company that I work for is in business to do many different things, included in which is helping with specialized configurations like I believe that Rangi Biddle is needing. As such I offered to consult with Rangi Biddle for $1/min on what my company has done in the past to generate complete solutions not just pieces of the puzzle leaving Rangi Biddle to put them together on his own. I my self and the company that I work for want to offer as much back to the community as it has offered to us. As such I / we are willing to help point people in the right direction and show them some of the pieces to the puzzle. However business being what it is I am not allowed to always provide the entire step by step how to guide for many different things. My company has invested time and money in to being able to provide solutions using open source products for such things as load balancing a medium size network across multiple cable modems, redundant fail over routing for globally routable addresses, down to segmenting a multi tenant building so that tenants can not cross infect each other while sharing one single IP subnet. I am curious what the community's reaction is to this and ask for and encourage responses with regards to when is it appropriate for individuals / companies to move from "free to the public" support to "reasonable rate commercial support". I apologize if my actions offended any one. However, please if they did, contact me either on or off list as I would like to know why they did. Thank you and have a nice day, Grant Taylor Systems Administrator Riverview Technologies Inc. 2311 East Walnut Columbia MO 65201 United States of America Phone: +1 (573) 442-7151 Fax: +1 (573) 442-3062 eMail: gtaylor (at) riverviewtech (dot) net From rabbit at rabbit.us Mon Aug 27 19:21:32 2007 From: rabbit at rabbit.us (Peter Rabbitson) Date: Mon Aug 27 19:21:48 2007 Subject: [LARTC] Dead Gateway Detection & BGP In-Reply-To: <46D3011D.1050709@riverviewtech.net> References: <00a101c7e806$adc89500$0959bf00$@net.nz> <46D2E2EA.3010803@riverviewtech.net> <46D3011D.1050709@riverviewtech.net> Message-ID: <46D3081C.8000800@rabbit.us> Grant Taylor wrote: > I my self and the company that I work for want to offer as much back to > the community as it has offered to us. > My company has invested time and money > I am curious what the community's reaction is to this and ask for and > encourage responses with regards to when is it appropriate for > individuals / companies to move from "free to the public" support to > "reasonable rate commercial support". I for one can not speak for the community, but the three points highlighted above do not add up. Here is the scoring: Community Your Company Cost of help offered free paid Time/money investment large large 2 : 1 It is OK to charge for any provided service, good or bad. It is not OK to label this as "giving back as much as was offered". Regards Peter From lists at andyfurniss.entadsl.com Mon Aug 27 21:50:42 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Mon Aug 27 21:50:45 2007 Subject: [LARTC] Classful queuing solution In-Reply-To: <46CD7147.1090900@bristol.ac.uk> References: <46CD7147.1090900@bristol.ac.uk> Message-ID: <46D32B12.20300@andyfurniss.entadsl.com> Jonathan Gazeley wrote: > Dear all, > > I am trying to set up multi-user traffic control. In short, I want each > user (each IP) to be hard limited to 128kbit download and 64kbit upload. > On top of that, I want interactive traffic (ICMP, ACK packets, SSH, etc) > to be prioritised to minimise latency. It sounds like it ought to be > done with a classful qdisc but I don't really know what I'm doing. I > think I want something like the following: > > root class (global limit 100mbit) > | > + 192.168.0.1 class - limit 128kbit > | + priority 0: SSH, ICMP, ACK, etc > | + priority 1: all other traffic > | > + 192.168.0.2 class - limit 128kbit > | + etc > > ... and similarly for the uplink, but with a per-IP limit of 64kbit. > > I'm not sure if it's good to have ~250 classes for the IP addresses, and > sub classes within those for the different priorities, or if all the > traffic should be rate-limited by IP first, and then sorted into a > handful of shared classes, to be dequeued. I am not sure how well htb will behave with 250 classes when they are all active - but I don't think the second option will work as if you rate limit first then you will have already delayed the interactive. Also you can't easily double queue traffic anyway. > > I have taken advice from this list for the past couple of weeks and I > have a semi functional script now. However the latency suddenly jumps to > >4000ms as soon as the user starts downloading. That sounds like your classification is failing to separate the traffic properly. What does the script look like. Also my script uses > police rate to limit upload speed - but this is not particularly > effective and also not really required, as the box is able to shape > traffic in both directions. It is also a NAT box. Policing could be an option both ways - each user may see a bit of loss on interactive when downloading, but unless they have loads of bulk connections open there shouldn't be too much, and policing doesn't add latency. > > Related, not but strictly to do with tc, is there any way of concisely > and effectively logging connections between NATd users and external IPs? > I need to be able to maintain a log which tells me that a certain user > was connected to a certain remote host on a certain port at a certain > time and date, for legal reasons. Not sure really - would just dumping the conntrack table periodically be enough? maybe not as you could miss some I suppose. You could try asking on the netfilter users list, there are libs/user space daemons that can log/process packets from netfilter, but I don't know the detail. netfilter@lists.netfilter.org Andy. From lists at andyfurniss.entadsl.com Mon Aug 27 21:53:02 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Mon Aug 27 21:53:10 2007 Subject: [LARTC] Limited number of bands in PRIO qdisc In-Reply-To: <200708231548.10760.pr-ml@reinhardtweb.de> References: <200708221324.23380.pr-ml@reinhardtweb.de> <46CC8E38.1010605@andyfurniss.entadsl.com> <200708231548.10760.pr-ml@reinhardtweb.de> Message-ID: <46D32B9E.9050407@andyfurniss.entadsl.com> Patrick Reinhardt wrote: > Hi! > > Am Mittwoch, 22. August 2007 21:27:52 schrieb Andy Furniss: >> Patrick Reinhardt wrote: >>> returns: 'RTNETLINK answers: Invalid argument' >> I got a better error message than that - >> >> "priomap" index > TC_PRIO_MAX=15 >> >> Greping for TC_PRIO_MAX shows it's in both kernel and iproute2's copy of >> the headers - I don't know if you need to do both or not - but I would >> and recompile kernel and tc > Thank you very much for this hint. Unfortunately my current idea would require > about 1000 bands: > > To emulate a wireless network I have to assign a packet loss depending on the > target IP address. The idea was to use a PRIO qdisc with n bands for n nodes > and use filters to assign packets to the appropriate band depending on the > target address. > > Since I am unsure about side-effects of an alteration of TC_PRIO_MAX to a > signifficantly higher value, an alternative would be helpful. I suppose you could try ifb - but there is probably a define somewhere needing to be changed if you want 1000, but then you could have 16 prio on each. Andy. From lists at andyfurniss.entadsl.com Mon Aug 27 22:20:51 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Mon Aug 27 22:20:53 2007 Subject: [LARTC] HTB doesn't give me the promised rate: cpufreq? In-Reply-To: <20070826221407.GA1944@DervishD> References: <20070826221407.GA1944@DervishD> Message-ID: <46D33223.20508@andyfurniss.entadsl.com> DervishD wrote: > Hi all :) > > I've been using a tc setup for almost two years, but at some point > (probably when I switched to kernel 2.6.x, but I'm not sure) it has > started making something very weird. > > For a certain class, the rate is 125000bit and the ceil is > 270000bit, but the fastest rate I get is about 75-80000bit, instead of > the "promised" 125000, *with no other traffic in the device*. > > If I disable tc entirely, the upload rate is more than 300000bit (a > little below the line capacity, which is 320000bit), but as soon as tc > is enabled again, the upload speed drops again to 75-80kbit. There is no > other traffic on the device, really, it's just like if the htb couldn't > queue packets fast enough :??? > > I've thought that the culprit may be cpufreq. I have cpufreq scaling > activated, and cpufreq reduces the clock speed from 1800MHz to 1000MHz > when the processor is idle. This is more or less the same amount that I > "lose" in the rate. May this be the problem? How to fix without > deactivating cpufreq? Could be - I don't know. Forgetting cpufreq htb can be limited by Hz if the burst size is too small. tc -s -d class ls dev ... should show the size being used. > > I'm using htb+sqf, and I can post here my tc setup if needed (is > quite short), including the filters. It should be OK, since it has been > working for almost two years. Right now I cannot disable cpufreq because > temperature problems, and I cannot shut down the machine either, so I > cannot test if cpufreq is the culprit, that's why I'm asking. I haven't > found anything while googling, either. If you have perturb too low on sfq the packet reordering it causes could make the sender back off too much. Andy. > > If anybody has any idea about this problem, please tell. Thanks a > lot in advance :)) > > Ra?l N??ez de Arenas Coronado > From lists at andyfurniss.entadsl.com Mon Aug 27 22:55:51 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Mon Aug 27 22:55:53 2007 Subject: [LARTC] Traffic shaping PPPoe encapsulated packet In-Reply-To: <46D1ABFA.1060901@wlink.com.np> References: <46D1ABFA.1060901@wlink.com.np> Message-ID: <46D33A57.4030805@andyfurniss.entadsl.com> Samit wrote: > Hi, > > I want a way to traffic shape pppoe encapsulated pkts based on its > src/dst Ip address. Is there any way I can mark pppoe encapsulated pkts? I don't know what you can do with iptables now it's X tables. If you have the ppp interface on the shaping/netfilter box then you will see ip from/to it anyway. If the pppoe is just passing through then you should be able to make a u32 filter to match parts of the packet. Use tcpdump -e to see the ethertype protocol number for pppoe data frames and make a filter to match that number, then I guess the IP part will be at an offset of 8 more than the normal offsets. You will need to use u32 to match the src/dst addresses in hex. I have never done it, but it should be possible. tc filter add dev $DEV protocol $PPPOE prio 1 u32 match u32 0xc0a80001 0xffffffff at 20 flowid .... should match src 192.168.0.1 use "at 24" for dst. Andy From lists at andyfurniss.entadsl.com Mon Aug 27 23:57:47 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Mon Aug 27 23:58:05 2007 Subject: [LARTC] Traffic shaping questions and possible extensions In-Reply-To: <46CDC2C9.2040702@expertron.co.za> References: <46CDC2C9.2040702@expertron.co.za> Message-ID: <46D348DB.2000907@andyfurniss.entadsl.com> Justin Schoeman wrote: > Hi, > > It has been quite a while since I looked at what was happening in Linux > traffic shaping, so I am not sure if this has been discussed / improved > on since I last looked. > > We use a traffic shaper based on HTB. The basic principals work fine, > but we have a problem with 'intermittent trafic' like http and > interactive ssh sessions. > > Each of these categories of traffic have their own class, and are > allocated a certain 'guaranteed' rate. However, if other traffic is > bursting into this bandwidth, we see that very often it takes so long > for the other traffic to throttel back that the effective QoS is very bad. > > If we hard cap the other traffic to leave the guarantee open, then web > and ssh access is very very good. > > So the problem seems to lie with getting other traffic to slow down > quicker. > > Are there any current solutions/suggestions to working around this? > > If not, I have one possible solution, and I would appreciate any > feedback on it: > > At the moment, if traffic cannot be sent immediately (there is no > bandwidth available for it), then it is first queued, and if the queue > gets too long, packets are dropped. > > This will slow down the sender, but relies on the expiry of TCP timers > to acheive this. > > What I was thinking was that for bulk traffic that needs (and can > tolerate aggresive throtling), instead of queueing the packet, keep a > history of the last ACK packet sent, and resend it. > > The receiver will see this as a duplicate ack, and immediately enter a > congestion avoidance algorithm, throtling the data. > > Is this feasible, or is it a Really Stupid Idea (TM)? I don't know if it would work as most tcp connections use SACK now, so that's what would be expected. I assume you are only talking about ingress shaping for a slow(ish) line. It's a pain - I used to have trouble on a 500kbit line, it's not so much of a problem now I have 7mbit :-) Perhaps you could do better by being a bit more aggressive with queue lengths, maybe use sfq aswell. I don't think timers come into it, it's just that if you tail drop especially if the connections are still in slowstart then the bandwidth ramps up until the next packet after the dropped one gets dequeued, which is too late to stop the ISP buffer being filled. Policers, though a bit inflexible don't suffer from this. How long are your queues - maybe a bit too long, and how close to line rate are your rates, maybe too close so the queues only fill slowly. When I had 500kbit I tried changing sfq to head drop - it seemed to help (though I have doubts about the hack every time I look at it).My aim was low latency, so I used netfilter connbytes to mark the first 80K IIRC of new connections and their bulk packets got sent to a class at 50% rate with the head dropping sfq with a limit of 12 - that got them out of slowstart fairly quickly. It still wasn't perfect for latency if there was established bulk aswell (which went to slightly longer per user head droppers at 80% ceil but lower prio than the new class), but allot better than tail drop. It didn't seem too bad for browsing - but then it was browsing with 4 concurrent new connections that caused me most problems WRT latency for games, so slower browsing was a price worth paying. Andy. From lists at andyfurniss.entadsl.com Tue Aug 28 02:25:13 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Tue Aug 28 02:25:14 2007 Subject: [LARTC] subdivide 64 kbit bandwidth 32kbit for WWW and 32 Kbit for mail In-Reply-To: <7ed6b0aa0708240148t7d55e830ke1c7bcf63a4ce219@mail.gmail.com> References: <7ed6b0aa0708240148t7d55e830ke1c7bcf63a4ce219@mail.gmail.com> Message-ID: <46D36B69.7080509@andyfurniss.entadsl.com> Indunil Jayasooriya wrote: > Hi all, > > I've got a BOX running CentOS 4.5. It acts as a firewall + router. > > I have installed both iptables and iproute2. > > I has 3 network cards. > > eth0 is connected to Internet (is has an internet ip. pls assume its ip is > 1.2.3.4/29). it is a 256 Kbit link. > eth1 is DMZ. its ip is 192.168.100.254 > eth2 is LAN. Its ip is 192.168.101.254 > > I have alreday shaped traffic to 64 Kbit on eth1 for downloadig (i.e DMZ > zone ). > > This is the sript that does the job. It works ine. > > #traffic shaping on eth1 (Downloading) > > INTERFAZ_DMZ=eth1 > FULLBANDWIDTH=256 > BANDWIDTH4DMZ=64 > > tc qdisc del root dev $INTERFAZ_DMZ > > tc qdisc add dev $INTERFAZ_DMZ root handle 1: htb r2q 4 > tc class add dev $INTERFAZ_DMZ parent 1: classid 1:2 htb rate > "$FULLBANDWIDTH"Kbit > tc class add dev $INTERFAZ_DMZ parent 1: classid 1:5 htb rate > "$BANDWIDTH4DMZ"Kbit > tc qdisc add dev $INTERFAZ_DMZ parent 1:5 handle 5: sfq perturb 10 > tc filter add dev $INTERFAZ_DMZ parent 1: protocol ip prio 1 u32 match ip > dst 192.168.100.0/24 classid 1:5 > > > It has allocated 64 Kbit for downloading for the ip range of > 192.168.100.0/24. (DMZ ZONE) > > Rememmber, this is a SNATed firewall. > > Now, What I nedd is to subdivide this 64 kbit bandwidth *32kbit for WWW and > 32 Kbit for mail**. Do you want to share 64kbit so if there is no mail then www can have all 64kbit? > > Can I subdivide in that way ? If divided , What will happen to other > services such as ICMP, SSH, ACK etc ? You need to make your rules to allow for these as well - depending on what other traffic hits the server it may be best to give everything other than big tcp www/mail packets priority. > > *Then, How can I achieve this task? > * > I modfied the the above script . This is what it looks like after editing. > > > > *#traffic shaping on eth1 (Downloading) IT can be hard to shape properly from the wrong end of a slow wan - but your rates here are low so it should be OK. > > INTERFAZ_DMZ=eth1 > FULLBANDWIDTH=256 > BANDWIDTH4DMZ=64 > > tc qdisc del root dev $INTERFAZ_DMZ > > tc qdisc add dev $INTERFAZ_DMZ root handle 1: htb r2q 4 > tc class add dev $INTERFAZ_DMZ parent 1: classid 1:2 htb rate > "$FULLBANDWIDTH"Kbit > tc class add dev $INTERFAZ_DMZ parent 1: classid 1:5 htb rate > "$BANDWIDTH4DMZ"Kbit > > **tc class add dev $INTERFAZ_DMZ parent 1:5 classid 1:10 htb rate 32kbit > tc class add dev $INTERFAZ_DMZ parent 1:5 classid 1:11 htb rate 32Kbit > > tc qdisc add dev $INTERFAZ_DMZ parent 1:10 handle 10: sfq perturb 10 > tc qdisc add dev $INTERFAZ_DMZ parent 1:11 handle 11: sfq perturb 10 > > #192.168.100.3 is the BOX acts as a mail server and a proxyserver. > tc filter add dev $INTERFAZ_DMZ parent 1: protocol ip prio 1 u32 match ip > dst 192.168.100.0/24 classid 1:10 > tc filter add dev $INTERFAZ_DMZ parent 1: protocol ip prio 1 u32 match ip > dst 192.168.100.0/24 match ip dport 25 classid 1:11 > If these go in in order of entry (they usually do if prio is the same , but not always!) then nothing will reach 1:11. > > > Pls let me know if it is Okay? or any better way to rewrite it? It depends what you want and on your setup. Do you have traffic from LAN to the proxy/mail - do you really need to shape that or not? Do you have traffic from the internet to LAN as well - do you need to shape that - maybe sharing bandwidth with DMZ. > > EXPECT YOUR COMMENTS. > > > > > > **** > > > > ------------------------------------------------------------------------ > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From nozo at ziu.info Tue Aug 28 07:02:21 2007 From: nozo at ziu.info (Michal Soltys) Date: Tue Aug 28 07:02:30 2007 Subject: [LARTC] prio bands and ignored priomap when any tc filter is present Message-ID: <46D3AC5D.3010601@ziu.info> Today I've noticed a bit strange (?) behaviour when prio qdisc is used. Example (having no filters/qdisc/etc. at the start) : Add simple 9 bands qdisc, set each mapping to lowest priority band: tc qdisc add dev $eth root handle 1: prio bands 9 priomap 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 If I do just that, all is fine - whole traffic ends in 9th band, what can easily be verified by tc -s class show dev $eth But, if I added following filter: tc filter add dev $eth parent 1:0 protocol arp prio 1 u32 classid 1:1 match u32 0 0 I can immediately see traffic landing in extra bands (arp excluding, which keeps going to the 1st band). In my case, small example: class prio 1:1 parent 1: Sent 35723 bytes 841 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 class prio 1:2 parent 1: Sent 3681 bytes 46 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 class prio 1:3 parent 1: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 class prio 1:4 parent 1: Sent 25814 bytes 431 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 class prio 1:5 parent 1: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 class prio 1:6 parent 1: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 class prio 1:7 parent 1: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 class prio 1:8 parent 1: Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 class prio 1:9 parent 1: Sent 75039 bytes 887 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 Majority of the traffic still goes to 1:9, as it should for packets unclassified by the filter, but why are there packets in 1:2 and 1:4 ? Simple workaround is just to add catch-all u32 filter with the lowest priority at the end, still - is this intended behaviour ? From milisbali at nangura.net Tue Aug 28 07:50:05 2007 From: milisbali at nangura.net (Wongbali) Date: Tue Aug 28 07:50:29 2007 Subject: [LARTC] Strange problem Message-ID: <009d01c7e937$4ab4e270$0301a8c0@pc> Dear All, My apologize if I post in the wrong place. I have a very strange problem with my Linux machine that be operated as Internet Gateway Below the simple picture of network configuration: INTERNET ------| Linux |------ LAN / Mail server Linux machine only runs 2 services: SMTP & HTTP Proxy (webcache). Problem has started since yesterday of it's the SMTP traffics (TCP 25) to LAN (Eth1). But SMTP traffic to Internet (Eth0) are OK. All other traffic are OK, run well. I run telnet the port 25 of internal mail server (from Linux machine), the response is very slow but success (more than 1 minute). All of email client Outlook Express, Mac, etc (almost) always get timeout message when trying to send email through Linux machine. I run Ethereal to see the packets, seems there is no strange thing. I let users to relay to ISP's SMTP server (still NAT by Linux), traffic is fine. Email can pass through. Telnet-ing the port 25 of Linux machine give same response, very slow (but success). I have tried to pull out all of LAN cable and plug 1 PC directly to Linux Machine, result is same. I also replaced the Eth1 with another card, same result Hope you would share experiences to solve this abnormal problem. What other tools should I use to detect the problem source? Thank you so much for your kind help. Your advises are very appreciated. Thx & Rgds, Awie From lartc at dervishd.net Tue Aug 28 09:45:24 2007 From: lartc at dervishd.net (DervishD) Date: Tue Aug 28 09:46:15 2007 Subject: [LARTC] HTB doesn't give me the promised rate: cpufreq? In-Reply-To: <46D33223.20508@andyfurniss.entadsl.com> References: <20070826221407.GA1944@DervishD> <46D33223.20508@andyfurniss.entadsl.com> Message-ID: <20070828074524.GE17475@DervishD> Hi Andy :) * Andy Furniss dixit: > DervishD wrote: > > I've thought that the culprit may be cpufreq. I have cpufreq scaling > >activated, and cpufreq reduces the clock speed from 1800MHz to 1000MHz > >when the processor is idle. This is more or less the same amount that I > >"lose" in the rate. May this be the problem? How to fix without > >deactivating cpufreq? > > Could be - I don't know. Forgetting cpufreq htb can be limited by Hz if > the burst size is too small. I've tested with a burst size of 1500 (my MTU) and with precomputed values (which are 1614b for burst, 1633b for cburst) and the result is the same. I'm using HZ=1000 in my kernel, so my resolution is 1ms. According to HTB docs, the burst that will cause the rate to be burst-bound is 272000bit * 1m = 272bit. > > I'm using htb+sqf, and I can post here my tc setup if needed (is > >quite short), including the filters. It should be OK, since it has been > >working for almost two years. Right now I cannot disable cpufreq because > >temperature problems, and I cannot shut down the machine either, so I > >cannot test if cpufreq is the culprit, that's why I'm asking. I haven't > >found anything while googling, either. > > If you have perturb too low on sfq the packet reordering it causes could > make the sender back off too much. I have a perturb of 10, as I've always used. Finally I could turn the machine off and clean the CPU fan, so I've make a test using the performance governor and the ondemand governor of cpufreq and yes, the problem is the cpufreq thing :(((( I'll start a new thread here for this and will report to LKML too. Thanks for your answer :)) Ra?l N??ez de Arenas Coronado -- Linux Registered User 88736 | http://www.dervishd.net It's my PC and I'll cry if I want to... RAmen! From lartc at dervishd.net Tue Aug 28 09:47:38 2007 From: lartc at dervishd.net (DervishD) Date: Tue Aug 28 09:48:16 2007 Subject: [LARTC] cpufreq affects rate in, at least, htb Message-ID: <20070828074738.GF17475@DervishD> Hi all :) I've tested this and having a cpufreq that slows down the CPU affects the rate of HTB. My ondemand cpufreq governor scales down the CPU frequency about 40% and this is more or less the slowdown the rate suffers, 40%. Any known way of dealing with this without having to disable cpufreq? Thanks in advance :) Ra?l N??ez de Arenas Coronado -- Linux Registered User 88736 | http://www.dervishd.net It's my PC and I'll cry if I want to... RAmen! From andreas at stapelspeicher.org Tue Aug 28 12:24:07 2007 From: andreas at stapelspeicher.org (Andreas Mueller) Date: Tue Aug 28 12:24:30 2007 Subject: [LARTC] cpufreq affects rate in, at least, htb In-Reply-To: <20070828074738.GF17475@DervishD> References: <20070828074738.GF17475@DervishD> Message-ID: <20070828102407.GA3668@lintera> Hi, DervishD DervishD wrote: > Hi all :) > > I've tested this and having a cpufreq that slows down the CPU > affects the rate of HTB. My ondemand cpufreq governor scales down the > CPU frequency about 40% and this is more or less the slowdown the rate > suffers, 40%. > > Any known way of dealing with this without having to disable > cpufreq? > > Thanks in advance :) > > Ra?l N??ez de Arenas Coronado > What kernel-version do you use? In 2.6.22 another timer is used for psched. Maybe NO_HZ could interfere on this issue too. Bye, Andreas. From lists at andyfurniss.entadsl.com Tue Aug 28 13:20:42 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Tue Aug 28 13:20:42 2007 Subject: [LARTC] HTB doesn't give me the promised rate: cpufreq? In-Reply-To: <20070828074524.GE17475@DervishD> References: <20070826221407.GA1944@DervishD> <46D33223.20508@andyfurniss.entadsl.com> <20070828074524.GE17475@DervishD> Message-ID: <46D4050A.5000209@andyfurniss.entadsl.com> DervishD wrote: > I'll start a new thread here for this and will report to LKML too. OK you should probably report to netdev@vger.kernel.org rather than LKML. Andy. From janasamit at wlink.com.np Tue Aug 28 14:50:46 2007 From: janasamit at wlink.com.np (Samit) Date: Tue Aug 28 14:51:16 2007 Subject: [LARTC] Traffic shaping PPPoe encapsulated packet [SOLVED] In-Reply-To: <46D33A57.4030805@andyfurniss.entadsl.com> References: <46D1ABFA.1060901@wlink.com.np> <46D33A57.4030805@andyfurniss.entadsl.com> Message-ID: <46D41A26.3010207@wlink.com.np> Thanks..it worked.. :) /sbin/tc filter add dev eth1 protocol 0x8864 parent 2:0 prio 1 u32 \ match u32 0x$IPREMOTE_HEX 0xffffffff at 24 flowid 2:$ID Now I don't have to shape the dst traffic on each ppp interface. Regards, Samit Andy Furniss wrote: > Samit wrote: >> Hi, >> >> I want a way to traffic shape pppoe encapsulated pkts based on its >> src/dst Ip address. Is there any way I can mark pppoe encapsulated pkts? > > I don't know what you can do with iptables now it's X tables. > > If you have the ppp interface on the shaping/netfilter box then you will > see ip from/to it anyway. > > If the pppoe is just passing through then you should be able to make a > u32 filter to match parts of the packet. Use tcpdump -e to see the > ethertype protocol number for pppoe data frames and make a filter to > match that number, then I guess the IP part will be at an offset of 8 > more than the normal offsets. You will need to use u32 to match the > src/dst addresses in hex. I have never done it, but it should be possible. > > tc filter add dev $DEV protocol $PPPOE prio 1 u32 match u32 0xc0a80001 > 0xffffffff at 20 flowid .... > > should match src 192.168.0.1 use "at 24" for dst. > > Andy > > From lartc at dervishd.net Tue Aug 28 17:03:53 2007 From: lartc at dervishd.net (DervishD) Date: Tue Aug 28 17:04:14 2007 Subject: [LARTC] cpufreq affects rate in, at least, htb In-Reply-To: <20070828102407.GA3668@lintera> References: <20070828074738.GF17475@DervishD> <20070828102407.GA3668@lintera> Message-ID: <20070828150353.GA27642@DervishD> Hi Andreas :) * Andreas Mueller dixit: > DervishD wrote: > > Hi all :) > > > > I've tested this and having a cpufreq that slows down the CPU > > affects the rate of HTB. My ondemand cpufreq governor scales down the > > CPU frequency about 40% and this is more or less the slowdown the rate > > suffers, 40%. > > > > Any known way of dealing with this without having to disable > > cpufreq? > > > > What kernel-version do you use? Sorry, I forgot to include that documentation... I'm using 2.6.20.14, and I was waiting until 2.6.22 stable branch reached at least 10 (I'm tired of regressions with all 2.6.x kernels, so I try to avoid updating if possible). > In 2.6.22 another timer is used for psched. I'll give it a try, then, but not before 2.6.22.10 at least. > Maybe NO_HZ could interfere on this issue too. Currently I have CONFIG_HZ_1000=y and CONFIG_HZ=1000, and no tickless idle since that feature was introduced in a later kernel. Probably the problem is the shared timer and I will have to use 2.6.22 kernel to have it if I dare upgrading ;)) Thanks for the information, Andreas :) Ra?l N??ez de Arenas Coronado -- Linux Registered User 88736 | http://www.dervishd.net It's my PC and I'll cry if I want to... RAmen! From lartc at dervishd.net Tue Aug 28 17:07:49 2007 From: lartc at dervishd.net (DervishD) Date: Tue Aug 28 17:08:08 2007 Subject: [LARTC] HTB doesn't give me the promised rate: cpufreq? In-Reply-To: <46D4050A.5000209@andyfurniss.entadsl.com> References: <20070826221407.GA1944@DervishD> <46D33223.20508@andyfurniss.entadsl.com> <20070828074524.GE17475@DervishD> <46D4050A.5000209@andyfurniss.entadsl.com> Message-ID: <20070828150749.GB27642@DervishD> Hi Andy :) * Andy Furniss dixit: > DervishD wrote: > > I'll start a new thread here for this and will report to LKML too. > > OK you should probably report to netdev@vger.kernel.org rather than LKML. I was considering it, but then I thought that maybe this problem was known and affecting other parts of the kernel. Given the lack of response, probably reporting to netdev is better. I'll bounce the message there. Thanks :) Ra?l N??ez de Arenas Coronado -- Linux Registered User 88736 | http://www.dervishd.net It's my PC and I'll cry if I want to... RAmen! From nozo at ziu.info Tue Aug 28 17:09:37 2007 From: nozo at ziu.info (Michal Soltys) Date: Tue Aug 28 17:09:47 2007 Subject: [LARTC] prio bands and ignored priomap when any tc filter is present In-Reply-To: References: <46D3AC5D.3010601@ziu.info> Message-ID: <46D43AB1.40706@ziu.info> Javier Ors wrote: > I'm not sure but I think that you have to choose either to use the > priomap, or to use only the filters. I have also notice this problem, if > you set a filter for only one kind of traffic the rest of it ends in > some random band. > Ok, thanks for confirmation. > Anyway, the priomap is a mess and for the ip traffic you can do the same > that it does (and much more) with just three tc filters. Well, priomap is just a quick temporary solution here. I'll be setting up hfsc most probably. > By the way, > IMHO all the priomap stuff is not quite clear in the LARTC HOWTO, and > have prepared some alternative explanation. Is still the HOWTO accepting > aportations? I've seen that hasn't been updated for many years now. No idea, I'm not the one to be asked about it :) Russell Stuart has a bit more complete info about prio here: http://ace-host.stuart.id.au/russell/files/tc/doc/tc/sch_prio.txt From jaorani at gmail.com Tue Aug 28 21:07:26 2007 From: jaorani at gmail.com (Javier Ors) Date: Tue Aug 28 21:07:32 2007 Subject: [LARTC] prio bands and ignored priomap when any tc filter is present In-Reply-To: <46D43AB1.40706@ziu.info> References: <46D3AC5D.3010601@ziu.info> <46D43AB1.40706@ziu.info> Message-ID: Really, I only understood what the *priorities* of the priomap were until I read this other document from him: http://ace-host.stuart.id.au/russell/files/tc/doc/tc/priority.txt The document I prepared was just an alternative for the priomap section of the howto based on this information, the only thing I would add to this information would be an extra comment at the end: "- The ToS-to-Linux_Priority mapping is made at the very beggining of the routing process, even before the packet enters in the iptables chains. This means that changing the ToS field of the packet with iptable's "-j TOS --set-tos" flags, will not change neither its Linux priority nor the band it will be assigned to." And maybe talk about the fact that the ToS byte has been replaced by the DiffServ Code Point, but for the moment the priority mapping, and many common applications are still using the ToS scheme, not other things like ICMP traffic as far as I've seen... > No idea, I'm not the one to be asked about it :) Sorry, the question was for the list, I didn't realized that I was sending it only to you, a newbie mistake. :) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070828/e9322c37/attachment.html From lists at andyfurniss.entadsl.com Tue Aug 28 22:21:04 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Tue Aug 28 22:21:00 2007 Subject: [LARTC] Help about a QoS configuration In-Reply-To: References: Message-ID: <46D483B0.2040008@andyfurniss.entadsl.com> Javier Ors wrote: > Hi, I would like to make a QoS configuration on a linux based dsl router. It > is for a server, so I want to shape outgoing traffic, incoming traffic > should not be a problem as long as I have a quite assymetric connection. I > would like to achieve the following goals: > > 1) To have one class (p2p) having all the available bandwith if there is no > activity on other classes. > 2) If another class (ftp server), starts to transmit, to take it all the > available bandwith except for, say 20 KB/s, reserved for p2p. > 3) If a third class (ssh, web), starts to transmit, again, to take all the > available bandwith except for the 20KB/s for p2p and 40 KB/s for ftp. > etc... > > I have an upload link that varies from 700kbit to 1000kbit depending on the > negotiation of the line. I wouldn't like to artificially underlimit it to > work properly, remember that I'm doing the shaping on the same router, on > the real (nas0) interface, so in this case the speed of the interface is the > speed of the link, and I think that it's shouldn't be necessary to slow down > the upload speed... am I wrong? Probably, both my PCI modems still had big buffers beyond the ppp that I shaped on. Even if nas0 did only accept traffic when it had finished transmitting I don't think you could do what you want above. > > The case is that I have tried to achieve this goals with several > configurations of htb, but none of them has worked as I expected. I set the > rate of the p2p class to 20KB/s and a higer one for ftp (40KB/s for > example), and also a higher priority. But when the ftp class begin to > transmit, the p2p class still remains borrowing from the paren over 20KB/s > while the ftp class is below its rate. I set the rate of the parent to > 1000kbit. Is this behaviour normal? Is there any other way to achive the > above goals? The problem is that DSL sync rates are ATM rates so there are quite alot of overheads. A small eg. ack packet may be seen as 40 bytes by HTB on nas0, but will use 106 bytes (2 cells) on the wire. If you connection is highly asymmetric acks can eat a fair chunk of upload bandwidth. It affects bigger packets aswell 1500 = 32 cells = 1696 bytes ATM level. There is a solution, but you'll need to patch your kernel and iproute2(tc), and find out what your overheads are - it depends how you connect to your ISP, see - http://ace-host.stuart.id.au/russell/files/tc/tc-atm/ To handle your varying sync rate you would need to make a script to check periodically and restart your script with the new rate. If you patch you can run almost at sync rate - back off a few kbit to allow for modem rounding down to whole cells/sec for it's own aal0/5 QOS and if ppp lcp pings can eat a a few bits/sec if used. Also to cover yourself for restarting the script when active so any backlog can slowly drain. Andy. > > Thanks in advance for your help and your attention. From ad at heliosphan.co.uk Wed Aug 29 00:19:36 2007 From: ad at heliosphan.co.uk (Adam James) Date: Wed Aug 29 00:19:46 2007 Subject: [LARTC] cpufreq affects rate in, at least, htb In-Reply-To: <20070828074738.GF17475@DervishD> References: <20070828074738.GF17475@DervishD> Message-ID: <20070828231936.22b9683a@localhost> On Tue, 28 Aug 2007 09:47:38 +0200 DervishD wrote: > I've tested this and having a cpufreq that slows down the CPU > affects the rate of HTB. My ondemand cpufreq governor scales down the > CPU frequency about 40% and this is more or less the slowdown the rate > suffers, 40%. This is expected behaviour when CONFIG_NET_SCH_CLK_CPU is defined: Say Y here if you want to use the CPU's cycle counter as clock source. This is a cheap and high resolution clock source, but on some architectures it is not synchronized on all processors and doesn't handle cpu clock frequency changes. > Any known way of dealing with this without having to disable > cpufreq? Yes, specify a different clock source in your kernel configuration. --atj From jaorani at gmail.com Wed Aug 29 02:01:04 2007 From: jaorani at gmail.com (Javier Ors) Date: Wed Aug 29 02:01:18 2007 Subject: [LARTC] Help about a QoS configuration In-Reply-To: <46D483B0.2040008@andyfurniss.entadsl.com> References: <46D483B0.2040008@andyfurniss.entadsl.com> Message-ID: > Probably, both my PCI modems still had big buffers beyond the ppp that I > shaped on. Even if nas0 did only accept traffic when it had finished > transmitting I don't think you could do what you want above. The problem is that DSL sync rates are ATM rates so there are quite alot > of overheads. A small eg. ack packet may be seen as 40 bytes by HTB on > nas0, but will use 106 bytes (2 cells) on the wire. If you connection is > highly asymmetric acks can eat a fair chunk of upload bandwidth. It > affects bigger packets aswell 1500 = 32 cells = 1696 bytes ATM level. Thank you for so technical answer, I suppose that this explains why the saturation speed (the one the line reaches with no shaping), is always 85%~95% of the negotiated speed that I see in the router configuration page. About the buffer size... is the same as the txqueuelength value shown in ifconfig?, it is set at 100 (packets I suppose), but it can be changed. I have no ppp encapsulation, it's a bridged connection, so the packets go directly to this interface... There is a solution, but you'll need to patch your kernel and > iproute2(tc), and find out what your overheads are - it depends how you > connect to your ISP, see - > > http://ace-host.stuart.id.au/russell/files/tc/tc-atm/ > > To handle your varying sync rate you would need to make a script to > check periodically and restart your script with the new rate. > > If you patch you can run almost at sync rate - back off a few kbit to > allow for modem rounding down to whole cells/sec for it's own aal0/5 QOS > and if ppp lcp pings can eat a a few bits/sec if used. Also to cover > yourself for restarting the script when active so any backlog can slowly > drain. > Very interesting information, anyway I think that I'll not need to do this, (I don't even think I can, patching the kernel and the iproute2 that run on the embedded system in the router, bufff...) Hopefully, I have found a simple solution that can achive the proposed goals... It still need further testing, but I think it'll work. I post it here, maybe someone else could be interested. This is what I've tested so far: prio qdisc | -------------------------- | | lower prio higher prio | | pfifo htb* | limit 60KB/s | | p2p ftp *(tbf could also have been used for this simple test) The results of this test were succesfull. I mean, with only the p2p the line was running al full saturation speed, when I started to use the ftp it reached the 60KB/s limit without problems with p2p taking the rest of the line, wich never stopped working at full speed. Given this results, I think that the following scheme will work like a charm... prio qdisc | ------------------------------------------------------ | | | low priority medium priority high priority | | | sfq htb pfifo | dynamic limit | | | | p2p ftp, web, mail... small ACK's, ICMP, ssh... As you told me, I think that I can make a script that constantly checks the top speed on the prio (which will allways be saturated due to the p2p), and adjust the htb limit to some % of it, or substracting a fixed quantity (the quantity that will rest for the p2p when running ftp at full speed, which is what I wated to achieve in the beginning). I hope it'll work... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070829/15759ad4/attachment.htm From gtaylor at riverviewtech.net Wed Aug 29 07:27:48 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Wed Aug 29 07:27:57 2007 Subject: [LARTC] Dead Gateway Detection & BGP In-Reply-To: <46D3081C.8000800@rabbit.us> References: <00a101c7e806$adc89500$0959bf00$@net.nz> <46D2E2EA.3010803@riverviewtech.net> <46D3011D.1050709@riverviewtech.net> <46D3081C.8000800@rabbit.us> Message-ID: <46D503D4.9040106@riverviewtech.net> On 8/27/2007 12:21 PM, Peter Rabbitson wrote: > It is OK to charge for any provided service, good or bad. It is not OK > to label this as "giving back as much as was offered". I'm not sure that I completely understand what you are trying to get at, therefore I can not comment correctly. However, I was trying to imply that my company has spent time and money to develop a configuration (what) including the order in which things are configured in (how). With the order of configuration (how) being more of our information that we are not eager to give up. We are more than willing to list out the components (what) that were used and possibly even some of an order, but not all of the order. With that being said, I think offering up the what for free with out the how (below) is fairly good while still protecting our time and money investment. The "what" would consist of the following: - Large over all block diagram. - List of modules used for each block. - List of optional modules used for each block. - Explanation of what each module does to fulfill the block. - Possibly some how or indicate to follow Read-Me(s). The "how" would consist of the following: - How to configure each module to achieve the desired result. The "how" is where our company has spent the most time and money to get things to work and achieve much larger projects. Grant. . . . From gtaylor at riverviewtech.net Wed Aug 29 07:40:25 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Wed Aug 29 07:40:35 2007 Subject: [LARTC] Dead Gateway Detection & BGP In-Reply-To: <46D38D55.9060201@vsnl.com> References: <00a101c7e806$adc89500$0959bf00$@net.nz> <46D2E2EA.3010803@riverviewtech.net> <46D3011D.1050709@riverviewtech.net> <46D38D55.9060201@vsnl.com> Message-ID: <46D506C9.90506@riverviewtech.net> On 8/27/2007 9:49 PM, Mohan Sundaram wrote: > Such a service is a much needed complement to forums to aid adoption > of FOSS. I was doing this for a fairly long while as a knowhow > provider. *nod* > There is a very thin line one needs to walk. Forums being used to > vend services is frowned upon, rightly so. It is the concept of free > sharing that gets violated. Even when I was a consultant, I used to > offer complete advice to forums simply because it gave me > satisfaction. I'd learnt a lot from the forums and this was my way of > returning the coin. Agreed. Normally I do tend to offer up the complete solution, especially if said solution or one very similar can be found elsewhere on the net with a bit of Googleing. However when the solution in question is that of something that was not readily available on the net and one that we spent a lot of time putting the puzzle pieces together we tend to hold on to some of it. > There is a definite need and opportunity. Reasonable is dependent on > a lot of factors and the same service yields different values to > different customers. Indeed. > My philosophy: I think it is definitely possible to differentiate > between personal time and company time. It is like social work. If > you do something on your personal time that does not eat into your > co's biz, I believe it is good to do so free. Even if you did do it > such, so long as you do not charge for it, I believe it is not > unethical. I'm not sure what you are trying to get at there. I think you are saying that if you do it as a personal time, then you probably should find some other sort of personal gratification. If you do it as company time then it is more understandable if it is charged for. Am I any where close? I can see how trolling a forum / news group looking for people asking questions and posting multiple follow up posts only saying "the company that I work for can provide you with a solution for X $s" is not so good. However if you are an active member of a forum / news group and offer advice and pointers in the right direction to the solution of the question and state that "the company I work for can probably help provide a more complete solution contact me if you are interested" is a bit different? I'm not trying to argue any thing here, just completely understand what you are saying and making sure that you understand what I'm saying (making sure that communications is happening both ways) while discussing this. Thank you for taking time to reply to my post. Grant. . . . From gtaylor at riverviewtech.net Wed Aug 29 07:56:29 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Wed Aug 29 07:56:35 2007 Subject: [LARTC] Rout looping through local host. In-Reply-To: References: <46CB0F32.7040206@riverviewtech.net> Message-ID: <46D50A8D.3050307@riverviewtech.net> > Yes, patch works for output routes only. May be you can try to > forward traffic with ip rules with iif parameter. Make sure you have > rules and routes for both directions. Of course, there must be some > IP addresses because routes work only for devices with IPs. SNAT > should be able to assign non-local external IP address, not possible > for MASQUERADE, you have to use SNAT everywhere. That is, don't > configure the SNAT addresses. Then you should not see local IPs in > the traffic. Not sure for other pitfalls. Thank you for taking the time to reply to me. Do to time constraints I ended up falling back to the old tried and true stand by of using a User Mode Linux system to do the routing that I needed to. My system currently has the main routing context and multiple UML routers to that each have another routing context. Again, thank you and have a nice day. Grant. . . . From indunil75 at gmail.com Wed Aug 29 08:47:33 2007 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Wed Aug 29 08:47:57 2007 Subject: [LARTC] subdivide 64 kbit bandwidth 32kbit for WWW and 32 Kbit for mail In-Reply-To: <46D36B69.7080509@andyfurniss.entadsl.com> References: <7ed6b0aa0708240148t7d55e830ke1c7bcf63a4ce219@mail.gmail.com> <46D36B69.7080509@andyfurniss.entadsl.com> Message-ID: <7ed6b0aa0708282347n73b0860dsba8ae007a21a0d64@mail.gmail.com> > > > > > > Now, What I need is to subdivide this 64 kbit bandwidth *32kbit for WWW > and > > 32 Kbit for mail**. > > Do you want to share 64kbit so if there is no mail then www can have all > 64kbit? When there is no mail, WWW should take all 64 kbit and also when there is no WWW, mail should take all 64 kbit. remember. This is only for downloading. NOT for UPLAODING as this is a SNATed firewll. pls see below for SNATed rules. #SNAT from LAN1 192.168.101.0/24 iptables -t nat -A POSTROUTING -p tcp -o eth0 -s 192.168.101.0/24 -m multiport --dports 20,21,69,80,443 -j SNAT --to-source 203.143.26.130 iptables -t nat -A POSTROUTING -p udp -o eth0 -s 192.168.101.0/24 --dport 1024: -j SNAT --to-source 203.143.26.130 iptables -t nat -A POSTROUTING -p tcp -o eth0 -s 192.168.101.0/24 --dport 1024: -j SNAT --to-source 203.143.26.130 iptables -t nat -A POSTROUTING -p udp -o eth0 -s 192.168.101.0/24 --dport 53 -j SNAT --to-source 203.143.26.130 iptables -t nat -A POSTROUTING -p icmp -o eth0 -s 192.168.101.0/24 -j SNAT --to-source 203.143.26.130 #SNAT from DMZ ip address of 192.168.100.3 (mail and proxy server) iptables -t nat -A POSTROUTING -p tcp -o eth0 -s 192.168.100.3 -m multiport --dports 21,22,25,80,443 -j SNAT --to-source 203.143.26.130 iptables -t nat -A POSTROUTING -p udp -o eth0 -s 192.168.100.3 --dport 53 -j SNAT --to-source 203.143.26.130 iptables -t nat -A POSTROUTING -p icmp -o eth0 -s 192.168.100.3 -j SNAT --to-source 203.143.26.130 > > > Can I subdivide in that way ? If divided , What will happen to other > > services such as ICMP, SSH, ACK etc ? > > You need to make your rules to allow for these as well - depending on > what other traffic hits the server it may be best to give everything > other than big tcp www/mail packets priority. Server only acts as a mail server and a proxy server. in addition to that, I ssh to that server from LAN. from that server too, I ssh to some servers. And also, I make ping to that server rom LAN. Again, from that server I make ping to other servers. That's it. How can I make such rules? > > > *Then, How can I achieve this task? > > * > > I modfied the the above script . This is what it looks like after > editing. > > > > > > > > *#traffic shaping on eth1 (Downloading) > > IT can be hard to shape properly from the wrong end of a slow wan - but > your rates here are low so it should be OK. 64 kbit is the allocated bandwidth for DMZ. If needed, I can make it to 128 kbit. > > > INTERFAZ_DMZ=eth1 > > FULLBANDWIDTH=256 > > BANDWIDTH4DMZ=64 > > > > tc qdisc del root dev $INTERFAZ_DMZ > > > > tc qdisc add dev $INTERFAZ_DMZ root handle 1: htb r2q 4 > > tc class add dev $INTERFAZ_DMZ parent 1: classid 1:2 htb rate > > "$FULLBANDWIDTH"Kbit > > tc class add dev $INTERFAZ_DMZ parent 1: classid 1:5 htb rate > > "$BANDWIDTH4DMZ"Kbit > > > > **tc class add dev $INTERFAZ_DMZ parent 1:5 classid 1:10 htb rate 32kbit > > tc class add dev $INTERFAZ_DMZ parent 1:5 classid 1:11 htb rate 32Kbit > > > > tc qdisc add dev $INTERFAZ_DMZ parent 1:10 handle 10: sfq perturb 10 > > tc qdisc add dev $INTERFAZ_DMZ parent 1:11 handle 11: sfq perturb 10 > > > > #192.168.100.3 is the BOX acts as a mail server and a proxyserver. > > tc filter add dev $INTERFAZ_DMZ parent 1: protocol ip prio 1 u32 match > ip > > dst 192.168.100.0/24 classid 1:10 > > tc filter add dev $INTERFAZ_DMZ parent 1: protocol ip prio 1 u32 match > ip > > dst 192.168.100.0/24 match ip dport 25 classid 1:11 > > > > If these go in in order of entry (they usually do if prio is the same , > but not always!) then nothing will reach 1:11. Then, What will have to do? How can I write the script properly? > > > > > Pls let me know if it is Okay? or any better way to rewrite it? > > It depends what you want and on your setup. Do you have traffic from LAN > to the proxy/mail - do you really need to shape that or not? my DMZ is 192.168.100.0/24 my LAN is 192.168.101.0/24 LAN users access my DMZ proxy and mail server (its ip is 192.168.100.3) as I have DNATed as bellow. #DNAT from LAN1 to ip 192.168.100.3 iptables -t nat -A PREROUTING -p tcp -i eth2 -d 192.168.101.254 --dport 25 -j DNAT --to-destination 192.168.100.3:25 iptables -t nat -A PREROUTING -p tcp -i eth2 -d 192.168.101.254 --dport 3128 -j DNAT--to-destination 192.168.100.3:3128 Tha's it. NO NEED to shape this. Do you have traffic from the internet to LAN as well - do you need to > shape that - maybe sharing bandwidth with DMZ. LAN users actualy browse internet and send and recieve mails via DMZ proxy server and Mail server. No other traffic. Thanks for you comments. Hope to hear from you. > > > EXPECT YOUR COMMENTS. > > > > > > > > > > > > **** > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070829/029b3d80/attachment.html From lartc at dervishd.net Wed Aug 29 09:57:07 2007 From: lartc at dervishd.net (DervishD) Date: Wed Aug 29 09:57:35 2007 Subject: [LARTC] cpufreq affects rate in, at least, htb In-Reply-To: <20070828231936.22b9683a@localhost> References: <20070828074738.GF17475@DervishD> <20070828231936.22b9683a@localhost> Message-ID: <20070829075707.GC18688@DervishD> Hi Adam :) * Adam James dixit: > On Tue, 28 Aug 2007 09:47:38 +0200 > DervishD wrote: > > > I've tested this and having a cpufreq that slows down the CPU > > affects the rate of HTB. My ondemand cpufreq governor scales down the > > CPU frequency about 40% and this is more or less the slowdown the rate > > suffers, 40%. > > This is expected behaviour when CONFIG_NET_SCH_CLK_CPU is defined: Sh*t! I thought I changed that when I turned on cpufreq and set it to jiffies, but I've seen my /proc/kconfig.gz and it's not true, I have CONFIG_NET_SCH_CLK_CPU :(((( Sorry for the noise, I'm embarrassed... And thanks a lot for your help. Ra?l N??ez de Arenas Coronado -- Linux Registered User 88736 | http://www.dervishd.net It's my PC and I'll cry if I want to... RAmen! From martin.bjornsson at businessecurity.com Wed Aug 29 10:06:28 2007 From: martin.bjornsson at businessecurity.com (=?ISO-8859-1?Q?Martin_Bj=F6rnsson?=) Date: Wed Aug 29 10:07:11 2007 Subject: [LARTC] HTB does not respect the prio parameter Message-ID: <46D52904.4040809@businessecurity.com> Hi all, I'm experimenting with HTB and the prio parameter and it does not give me results I expect. I've created 4 HTB classes: 1:10 TCP ACKs (prio 0) 1:20 TCP traffic on dst port 10001 (prio 1) 1:30 TCP traffic on dst port 10000 (prio 2) 1:40 Default (prio 3) ceil and rate parameters are the same for all 4 classes (rate is 1000kbit and ceil is 55000kbit). Then I start 2 TCP flows on src/dst ports 10000 and 10001. The packets seem to be correctly classified by the filter (I get hits on classes 10, 20 and 30). The problem is that I get the same throughput on both TCP flows. Shouldn't I get about 1000kbit through class 30 and much more through class 20 since it has higher priority? Here's my setup script: #!/bin/sh /bin/tc qdisc add dev eth0 root handle 1: htb default 40 && \ /bin/tc class add dev eth0 parent 1:0 classid 1:1 htb rate 55000kbit ceil 55000kbit quantum 60000 && \ /bin/tc class add dev eth0 parent 1:1 classid 1:10 htb rate 1000kbit ceil 55000kbit prio 0 quantum 60000 && \ /bin/tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1000kbit ceil 55000kbit prio 1 quantum 60000 && \ /bin/tc class add dev eth0 parent 1:1 classid 1:30 htb rate 1000kbit ceil 55000kbit prio 2 quantum 60000 && \ /bin/tc class add dev eth0 parent 1:1 classid 1:40 htb rate 1000kbit ceil 55000kbit prio 3 quantum 60000 && \ /bin/tc filter add dev eth0 parent 1:0 prio 99 handle 2: protocol ip u32 divisor 256 && \ /bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 \ ht 2:0: \ match u8 0x06 0xff at 9 \ match u8 0x10 0xff at nexthdr+13 \ flowid 1:10 && \ /bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 \ ht 2:0: \ match u8 0x06 0xff at 9 \ match u16 0x2711 0xffff at nexthdr+2 \ flowid 1:20 && \ /bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 \ ht 2:0: \ match u8 0x06 0xff at 9 \ match u16 0x2710 0xffff at nexthdr+2 \ flowid 1:30 && \ /bin/tc filter add dev eth0 parent 1:0 protocol ip prio 99 u32 ht 800:: offset at 0 mask 0x0f00 shift 6 plus 0 match u8 0x40 0xf0 at 0 link 2: && \ /bin/tc qdisc add dev eth0 parent 1:10 handle 20: red limit 1000KB min 10KB max 300KB avpkt 1000 burst 100 probability 0.02 && \ /bin/tc qdisc add dev eth0 parent 1:20 handle 30: red limit 1000KB min 10KB max 300KB avpkt 1000 burst 100 probability 0.02 && \ /bin/tc qdisc add dev eth0 parent 1:30 handle 40: red limit 1000KB min 10KB max 300KB avpkt 1000 burst 100 probability 0.02 && \ /bin/tc qdisc add dev eth0 parent 1:40 handle 50: red limit 1000KB min 10KB max 300KB avpkt 1000 burst 100 probability 0.02 && \ Regards, Martin From bojleros at poczta.fm Wed Aug 29 10:58:13 2007 From: bojleros at poczta.fm (bartekR) Date: Wed Aug 29 10:58:34 2007 Subject: [LARTC] HTB does not respect the prio parameter In-Reply-To: <46D52904.4040809@businessecurity.com> References: <46D52904.4040809@businessecurity.com> Message-ID: <46D53525.8080005@poczta.fm> Martin Bj?rnsson pisze: > Hi all, > > I'm experimenting with HTB and the prio parameter and it does not give me results I > expect. I've created 4 HTB classes: > > 1:10 TCP ACKs (prio 0) > 1:20 TCP traffic on dst port 10001 (prio 1) > 1:30 TCP traffic on dst port 10000 (prio 2) > 1:40 Default (prio 3) > > ceil and rate parameters are the same for all 4 classes (rate is 1000kbit and ceil is > 55000kbit). > > Then I start 2 TCP flows on src/dst ports 10000 and 10001. The packets seem to be > correctly classified by the filter (I get hits on classes 10, 20 and 30). > > The problem is that I get the same throughput on both TCP flows. Shouldn't I get about > 1000kbit through class 30 and much more through class 20 since it has higher priority? > > > Here's my setup script: > > #!/bin/sh > /bin/tc qdisc add dev eth0 root handle 1: htb default 40 && \ > /bin/tc class add dev eth0 parent 1:0 classid 1:1 htb rate 55000kbit ceil 55000kbit > quantum 60000 && \ > /bin/tc class add dev eth0 parent 1:1 classid 1:10 htb rate 1000kbit ceil 55000kbit prio 0 > quantum 60000 && \ > /bin/tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1000kbit ceil 55000kbit prio 1 > quantum 60000 && \ > /bin/tc class add dev eth0 parent 1:1 classid 1:30 htb rate 1000kbit ceil 55000kbit prio 2 > quantum 60000 && \ > /bin/tc class add dev eth0 parent 1:1 classid 1:40 htb rate 1000kbit ceil 55000kbit prio 3 > quantum 60000 && \ > /bin/tc filter add dev eth0 parent 1:0 prio 99 handle 2: protocol ip u32 divisor 256 && \ > /bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 \ > ht 2:0: \ > match u8 0x06 0xff at 9 \ > match u8 0x10 0xff at nexthdr+13 \ > flowid 1:10 && \ > /bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 \ > ht 2:0: \ > match u8 0x06 0xff at 9 \ > match u16 0x2711 0xffff at nexthdr+2 \ > flowid 1:20 && \ > /bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 \ > ht 2:0: \ > match u8 0x06 0xff at 9 \ > match u16 0x2710 0xffff at nexthdr+2 \ > flowid 1:30 && \ > /bin/tc filter add dev eth0 parent 1:0 protocol ip prio 99 u32 ht 800:: offset at 0 mask > 0x0f00 shift 6 plus 0 match u8 0x40 0xf0 at 0 link 2: && \ > /bin/tc qdisc add dev eth0 parent 1:10 handle 20: red limit 1000KB min 10KB max 300KB > avpkt 1000 burst 100 probability 0.02 && \ > /bin/tc qdisc add dev eth0 parent 1:20 handle 30: red limit 1000KB min 10KB max 300KB > avpkt 1000 burst 100 probability 0.02 && \ > /bin/tc qdisc add dev eth0 parent 1:30 handle 40: red limit 1000KB min 10KB max 300KB > avpkt 1000 burst 100 probability 0.02 && \ > /bin/tc qdisc add dev eth0 parent 1:40 handle 50: red limit 1000KB min 10KB max 300KB > avpkt 1000 burst 100 probability 0.02 && \ > > Regards, > Martin > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > As far as I know lower prio numbers (as 0) means higher priority and higher prio numbers (as 7) means lower priority. http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm Bartek ---------------------------------------------------------------------- Mobilne wiadomo?ci w Twojej kom?rce >>> http://link.interia.pl/f1b71 From jaorani at gmail.com Wed Aug 29 11:15:33 2007 From: jaorani at gmail.com (Javier Ors) Date: Wed Aug 29 11:15:41 2007 Subject: [LARTC] Alternative section to the HOWTO... Message-ID: IMHO, the priomap explanation in the 9.2.1.1. of the LARTC HOWTO is not clear enough. I only understood it's real behavior until I read this document from Russell Stuart: http://ace-host.stuart.id.au/russell/files/tc/doc/tc/priority.txt So, based in this information, I've prepared an alternative priomap explanation for this section of the HOWTO, if you like it as it is I could try to do the modifications to the .db file. If not, just take what you want from it or forget it... It is possibly full plenty of techical mistakes and also linux-centered, as long as I have no idea how this goes on other operating systems. I'm not a professional, so please don't be hard with the criticism... priomap Determines how packet priorities, as assigned by the kernel, map to bands. The kernel assigns a generic priority to every packet which enters or is generated in the machine, this priority is an 8-bit integer, and higher value means higher priority. The priomap defines how all the 16 possible values of the linux priority are mapped to the bands. For example, on the command line, the default priomap looks like this; 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1. This means the following mapping: Linux priority Default Band (priomap) -------------- ---------------------- 0 (Best Effort) 1 1 (Filler) 2 2 2 3 (Bulk) 2 4 (Interactive Bulk) 1 5 2 6 (Interactive) 0 7 0 8 1 9 1 10 1 11 1 12 1 13 1 14 1 15 1 Some of the linux priority values have a symbolic name, but on the table above only five of them are shown. For IPv4 packets we will only care about the bands assigned to those five named values. This is beacause for packets using this protocol, the priority is assigned based on the ToS octet of the packet, which looks like this: 0 1 2 3 4 5 6 7 +-----+-----+-----+-----+-----+-----+-----+-----+ | | | | | PRECEDENCE | ToS | MBZ | | | | | +-----+-----+-----+-----+-----+-----+-----+-----+ The four ToS bits (the 'ToS field') are defined as: Binary Decimal Meaning ----------------------------------------- 1000 8 Minimize delay (md) 0100 4 Maximize throughput (mt) 0010 2 Maximize reliability (mr) 0001 1 Minimize monetary cost (mmc) 0000 0 Normal Service As the MBZ must be zero, the actual value of the ToS field is double the value of the ToS bits. Tcpdump -v -v shows you the value of the entire ToS field, not just the four bits. It is the value you see in the first column of the following table, which shows how the ToS values are mapped to the five linux priority values mentioned above: ToS Bits Means Linux Priority ------------------------------------------------------ 0x0 0 Normal Service 0 (Best Effort) 0x2 1 Minimize Monetary Cost 1 (Filler) 0x4 2 Maximize Reliability 0 (Best Effort) 0x6 3 mmc+mr 0 (Best Effort) 0x8 4 Maximize Throughput 2 (Bulk) 0xa 5 mmc+mt 2 (Bulk) 0xc 6 mr+mt 2 (Bulk) 0xe 7 mmc+mr+mt 2 (Bulk) 0x10 8 Minimize Delay 6 (Interactive) 0x12 9 mmc+md 6 (Interactive) 0x14 10 mr+md 6 (Interactive) 0x16 11 mmc+mr+md 6 (Interactive) 0x18 12 mt+md 4 (Int. Bulk) 0x1a 13 mmc+mt+md 4 (Int. Bulk) 0x1c 14 mr+mt+md 4 (Int. Bulk) 0x1e 15 mmc+mr+mt+md 4 (Int. Bulk) This mapping is hard-coded and can not be adjusted, only the default priomap can be changed, to clarify, the whole process for an IPv4 packet would be: ToS value ------mapping------> Linux Priority ------priomap ------> Band A few extra comments: - The ToS-to-Linux_Priority mapping is made at the very beggining of the routing process, even before the packet enters in the iptables chains. This means that changing the ToS field of the packet with iptable's "-j TOS --set-tos" flags, will not change neither its linux priority nor the band it will be assigned to. - Also notice that this mapping is not one-to-one, for expample, by only adjusting the priomap, it is impossible to assign a packet with ToS value 0x00 (Normal Service), to a different band than a packet with ToS 0x02 (Maximize reliability), as both values are mapped to linux priority 0 (Best Effort). - At the moment of writing this, the ToS octet of the IPv4 protocol has been superseded by the Diffserv Code Point. But the default linux priority mapping, and most common applications (ssh, ftp servers, etc...) are still using the ToS scheme, however, this may change in the future. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070829/2d6f8acf/attachment.htm From martin.bjornsson at businessecurity.com Wed Aug 29 12:50:05 2007 From: martin.bjornsson at businessecurity.com (=?ISO-8859-1?Q?Martin_Bj=F6rnsson?=) Date: Wed Aug 29 12:50:49 2007 Subject: [LARTC] HTB does not respect the prio parameter In-Reply-To: <46D53525.8080005@poczta.fm> References: <46D52904.4040809@businessecurity.com> <46D53525.8080005@poczta.fm> Message-ID: <46D54F5D.7000806@businessecurity.com> Yes, exactly. So my 1:20 class (prio 1) should get to send more than the 1:30 class. But it doesn't, they both get about the same throughput. Nobody else having problems with the prio parameter? Martin bartekR wrote: > Martin Bj?rnsson pisze: >> Hi all, >> >> I'm experimenting with HTB and the prio parameter and it does not give >> me results I >> expect. I've created 4 HTB classes: >> >> 1:10 TCP ACKs (prio 0) >> 1:20 TCP traffic on dst port 10001 (prio 1) >> 1:30 TCP traffic on dst port 10000 (prio 2) >> 1:40 Default (prio 3) >> >> ceil and rate parameters are the same for all 4 classes (rate is >> 1000kbit and ceil is >> 55000kbit). >> >> Then I start 2 TCP flows on src/dst ports 10000 and 10001. The packets >> seem to be >> correctly classified by the filter (I get hits on classes 10, 20 and 30). >> >> The problem is that I get the same throughput on both TCP flows. >> Shouldn't I get about >> 1000kbit through class 30 and much more through class 20 since it has >> higher priority? >> >> >> Here's my setup script: >> >> #!/bin/sh >> /bin/tc qdisc add dev eth0 root handle 1: htb default 40 && \ >> /bin/tc class add dev eth0 parent 1:0 classid 1:1 htb rate 55000kbit >> ceil 55000kbit >> quantum 60000 && \ >> /bin/tc class add dev eth0 parent 1:1 classid 1:10 htb rate 1000kbit >> ceil 55000kbit prio 0 >> quantum 60000 && \ >> /bin/tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1000kbit >> ceil 55000kbit prio 1 >> quantum 60000 && \ >> /bin/tc class add dev eth0 parent 1:1 classid 1:30 htb rate 1000kbit >> ceil 55000kbit prio 2 >> quantum 60000 && \ >> /bin/tc class add dev eth0 parent 1:1 classid 1:40 htb rate 1000kbit >> ceil 55000kbit prio 3 >> quantum 60000 && \ >> /bin/tc filter add dev eth0 parent 1:0 prio 99 handle 2: protocol ip >> u32 divisor 256 && \ >> /bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 \ >> ht 2:0: \ >> match u8 0x06 0xff at 9 \ >> match u8 0x10 0xff at nexthdr+13 \ >> flowid 1:10 && \ >> /bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 \ >> ht 2:0: \ >> match u8 0x06 0xff at 9 \ >> match u16 0x2711 0xffff at nexthdr+2 \ >> flowid 1:20 && \ >> /bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 \ >> ht 2:0: \ >> match u8 0x06 0xff at 9 \ >> match u16 0x2710 0xffff at nexthdr+2 \ >> flowid 1:30 && \ >> /bin/tc filter add dev eth0 parent 1:0 protocol ip prio 99 u32 ht >> 800:: offset at 0 mask >> 0x0f00 shift 6 plus 0 match u8 0x40 0xf0 at 0 link 2: && \ >> /bin/tc qdisc add dev eth0 parent 1:10 handle 20: red limit 1000KB min >> 10KB max 300KB >> avpkt 1000 burst 100 probability 0.02 && \ >> /bin/tc qdisc add dev eth0 parent 1:20 handle 30: red limit 1000KB min >> 10KB max 300KB >> avpkt 1000 burst 100 probability 0.02 && \ >> /bin/tc qdisc add dev eth0 parent 1:30 handle 40: red limit 1000KB min >> 10KB max 300KB >> avpkt 1000 burst 100 probability 0.02 && \ >> /bin/tc qdisc add dev eth0 parent 1:40 handle 50: red limit 1000KB min >> 10KB max 300KB >> avpkt 1000 burst 100 probability 0.02 && \ >> >> Regards, >> Martin >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> >> > As far as I know lower prio numbers (as 0) means higher priority and > higher prio numbers (as 7) means lower priority. > > http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm > > > > Bartek > > > ---------------------------------------------------------------------- > Mobilne wiadomo?ci w Twojej kom?rce > >>>> http://link.interia.pl/f1b71 > From hijacker at oldum.net Wed Aug 29 12:56:44 2007 From: hijacker at oldum.net (Nikolay Kichukov) Date: Wed Aug 29 12:56:56 2007 Subject: [LARTC] HTB does not respect the prio parameter In-Reply-To: <46D54F5D.7000806@businessecurity.com> References: <46D52904.4040809@businessecurity.com> <46D53525.8080005@poczta.fm> <46D54F5D.7000806@businessecurity.com> Message-ID: <46D550EC.8030005@oldum.net> Hello Martin, I used to have this kind of problem before. Not sure if I resolved it with the help of folks on this mailing list, but I never tested. What you can try is to remove the prio parameter from the classes and leave the prio only for the filters. Let us know if that helps. Cheers, -Nikolay Martin Bj?rnsson wrote: > Yes, exactly. So my 1:20 class (prio 1) should get to send more than the 1:30 class. But > it doesn't, they both get about the same throughput. > > Nobody else having problems with the prio parameter? > > Martin > > bartekR wrote: >> Martin Bj?rnsson pisze: >>> Hi all, >>> >>> I'm experimenting with HTB and the prio parameter and it does not give >>> me results I >>> expect. I've created 4 HTB classes: >>> >>> 1:10 TCP ACKs (prio 0) >>> 1:20 TCP traffic on dst port 10001 (prio 1) >>> 1:30 TCP traffic on dst port 10000 (prio 2) >>> 1:40 Default (prio 3) >>> >>> ceil and rate parameters are the same for all 4 classes (rate is >>> 1000kbit and ceil is >>> 55000kbit). >>> >>> Then I start 2 TCP flows on src/dst ports 10000 and 10001. The packets >>> seem to be >>> correctly classified by the filter (I get hits on classes 10, 20 and 30). >>> >>> The problem is that I get the same throughput on both TCP flows. >>> Shouldn't I get about >>> 1000kbit through class 30 and much more through class 20 since it has >>> higher priority? >>> >>> >>> Here's my setup script: >>> >>> #!/bin/sh >>> /bin/tc qdisc add dev eth0 root handle 1: htb default 40 && \ >>> /bin/tc class add dev eth0 parent 1:0 classid 1:1 htb rate 55000kbit >>> ceil 55000kbit >>> quantum 60000 && \ >>> /bin/tc class add dev eth0 parent 1:1 classid 1:10 htb rate 1000kbit >>> ceil 55000kbit prio 0 >>> quantum 60000 && \ >>> /bin/tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1000kbit >>> ceil 55000kbit prio 1 >>> quantum 60000 && \ >>> /bin/tc class add dev eth0 parent 1:1 classid 1:30 htb rate 1000kbit >>> ceil 55000kbit prio 2 >>> quantum 60000 && \ >>> /bin/tc class add dev eth0 parent 1:1 classid 1:40 htb rate 1000kbit >>> ceil 55000kbit prio 3 >>> quantum 60000 && \ >>> /bin/tc filter add dev eth0 parent 1:0 prio 99 handle 2: protocol ip >>> u32 divisor 256 && \ >>> /bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 \ >>> ht 2:0: \ >>> match u8 0x06 0xff at 9 \ >>> match u8 0x10 0xff at nexthdr+13 \ >>> flowid 1:10 && \ >>> /bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 \ >>> ht 2:0: \ >>> match u8 0x06 0xff at 9 \ >>> match u16 0x2711 0xffff at nexthdr+2 \ >>> flowid 1:20 && \ >>> /bin/tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 \ >>> ht 2:0: \ >>> match u8 0x06 0xff at 9 \ >>> match u16 0x2710 0xffff at nexthdr+2 \ >>> flowid 1:30 && \ >>> /bin/tc filter add dev eth0 parent 1:0 protocol ip prio 99 u32 ht >>> 800:: offset at 0 mask >>> 0x0f00 shift 6 plus 0 match u8 0x40 0xf0 at 0 link 2: && \ >>> /bin/tc qdisc add dev eth0 parent 1:10 handle 20: red limit 1000KB min >>> 10KB max 300KB >>> avpkt 1000 burst 100 probability 0.02 && \ >>> /bin/tc qdisc add dev eth0 parent 1:20 handle 30: red limit 1000KB min >>> 10KB max 300KB >>> avpkt 1000 burst 100 probability 0.02 && \ >>> /bin/tc qdisc add dev eth0 parent 1:30 handle 40: red limit 1000KB min >>> 10KB max 300KB >>> avpkt 1000 burst 100 probability 0.02 && \ >>> /bin/tc qdisc add dev eth0 parent 1:40 handle 50: red limit 1000KB min >>> 10KB max 300KB >>> avpkt 1000 burst 100 probability 0.02 && \ >>> >>> Regards, >>> Martin >>> _______________________________________________ >>> LARTC mailing list >>> LARTC@mailman.ds9a.nl >>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>> >>> >> As far as I know lower prio numbers (as 0) means higher priority and >> higher prio numbers (as 7) means lower priority. >> >> http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm >> >> >> >> Bartek >> >> >> ---------------------------------------------------------------------- >> Mobilne wiadomo?ci w Twojej kom?rce >> >>>>> http://link.interia.pl/f1b71 > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From dino at webjogger.net Wed Aug 29 15:24:10 2007 From: dino at webjogger.net (Mario Antonio Garcia) Date: Wed Aug 29 15:24:24 2007 Subject: [LARTC] Clock Source Kernel settings in 2.6.22 References: <20070828074738.GF17475@DervishD> <20070828231936.22b9683a@localhost> Message-ID: <45E4FD623F464B30A0067FF269007B89@shadow> I wonder if somebody has got good results (accurate shaping) using 2.6.22? I am testing with 2.6.22.1, and I haven't been able to get accurate shaping. For instance, I tried: $TC qdisc add dev eth0 root handle 1: htb default 1 $TC class add dev eth0 parent 1: classid 1:1 htb rate 100000kbit ceil 100000kbit burst 24k cburst 24k $TC class add dev eth0 parent 1:1 classid 1:10 htb rate 20000kbit ceil 20000kbit burst 24k cburst 24k and class 1:10 shapes the traffic to 19900kbit instead of 20000kbit (bandwidth tests made with ftp and iperf) My corresponding kernel settings are: CONFIG_GENERIC_TIME=y CONFIG_CLOCKSOURCE_WATCHDOG=y CONFIG_DEFAULT_IOSCHED="cfq" CONFIG_NO_HZ=y CONFIG_HIGH_RES_TIMERS=y CONFIG_HPET_TIMER=y CONFIG_SCHED_SMT=y CONFIG_SCHED_MC=y CONFIG_HZ_1000=y CONFIG_HZ=1000 # CONFIG_CPU_FREQ is not set CONFIG_NET_SCHED=y CONFIG_NET_SCH_FIFO=y Notice that in 1.26.22 there are new patches for Clock Source: http://lists.openwall.net/netdev/2007/03/16/22 "These patches convert the packet schedulers to use ktime as only clock source and kill off the manual clock source selection. Additionally all packet schedulers are converted to use hrtimer-based Watchdogs, greatly increasing scheduling precision." Regards, Mario Antonio From jonathan.gazeley at bristol.ac.uk Wed Aug 29 16:35:40 2007 From: jonathan.gazeley at bristol.ac.uk (Jonathan Gazeley) Date: Wed Aug 29 16:35:45 2007 Subject: [LARTC] tc not matching Message-ID: <46D5843C.6020606@bristol.ac.uk> Dear all, I'm having real problems getting tc to do anything useful at all. I'm also under pressure to get this fixed before the students start arriving later this month (I work in a university). In short, I want each IP address to be hard limited to 128kbit down, 64kbit up, never to be allowed more bandwidth than this. It is also important that the latency remains reasonably low - maybe this implies a need to apply some sort of traffic filtering and classifying. I did manage to get a script semi-working but as soon as any decent bandwidth started flowing on the connection, the latency jumped up to >4000ms. I tried to change my script to make it more classful and intelligent but I ended up breaking it and now it doesn't work at all. (Upon execution, I get '172.19.123.254 Illegal "match"') I'm inexperienced with tc so I don't really know the best way to design such a system as this. I also struggle with the tc syntax. I only know what I need the end result to be. I'd be very grateful if anyone could lend a hand to help me get this working in time for the start of term. I've attached my script at the end of this email. Cheers, Jonathan #!/bin/sh # Interfaces LAN=eth0 WAN=eth1 # Maximum global uplink and downlink in mbit/s GLOBAL_DOWN=100 GLOBAL_UP=100 # Maximum per-user download & upload speed in kbit/s DOWNLINK=128 UPLINK=64 UPLINK=$((UPLINK/4)) # required because the old rate wasn't accurate # IP range in each subnet LOW_IP=2 HIGH_IP=254 #-----------------Don't mess with stuff below---------------| #-----------------this line or you'll break it--------------| # Flush existing rules tc qdisc del dev $LAN root # tc qdisc del dev $WAN root # Create root class for 100mbit interface - total traffic can't exceed this tc qdisc add dev $LAN root handle 1: cbq avpkt 1000 bandwidth ${GLOBAL_DOWN}mbit tc qdisc add dev $LAN ingress handle ffff: # Set useful counter total=0 # Apply rules for all included subnets for i in `seq $LOW_IP $HIGH_IP` do total=$((total+1)) echo 172.19.123.$i tc class add dev $LAN parent 1: classid 1:$total cbq rate ${DOWNLINK}kbit allot 1600 prio 1 bounded isolated tc filter add dev $LAN parent 1: protocol ip prio 1 u32 match ip dst 172.19.123.$i flowid 1:$total tc filter add dev $LAN parent ffff: protocol ip prio 50 u32 match ip src 172.19.123.$i police rate ${UPLINK}kbit burst 10k drop flowid :1 tc filter add dev $LAN parent 1: protocol ip prio 11 u32 match ip protocol 1 0xff flowid 1:$total match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid 1:$total done ------------------------ Jonathan Gazeley ResNet | Wireless & VPN Team Information Systems & Computing University of Bristol ------------------------ From santiago at elportal.net.ec Wed Aug 29 17:58:44 2007 From: santiago at elportal.net.ec (Santiago) Date: Wed Aug 29 17:59:11 2007 Subject: [LARTC] Round Robin trafic shapping Message-ID: <20070829154058.M78956@elportal.net.ec> I have this problem: I have an Internet line input with variable speed. I have a max speed and a min speed: Vmax and Vmin. The speed is always changing between Vmax and Vmin. I want to share the actual bandwidth (you don't not how much, you only know the speed is between Vmax and Vmin) for N clients. The bandwidth should be shared so nobody can get more bandwidth than the others. There is some queue disciplines like esfq and WRR. But theses ones only work if you know the actual bandwidth. HTB works only width fixed bandwidth too. I have studied all shaping and queue disciplines in linux, and I don't have a real solution yet. Do you have any idea? Santiago -- Este mensaje ha sido analizado por MailScanner en busca de virus y otros contenidos peligrosos, y se considera que est? limpio. MailScanner agradece a transtec Computers por su apoyo. From santiago at elportal.net.ec Wed Aug 29 18:03:39 2007 From: santiago at elportal.net.ec (Santiago) Date: Wed Aug 29 18:04:03 2007 Subject: [LARTC] How tho share varible bandwidth with weighted round robin In-Reply-To: <20070829154058.M78956@elportal.net.ec> References: <20070829154058.M78956@elportal.net.ec> Message-ID: <20070829160044.M8350@elportal.net.ec> I have this problem: I have an Internet line input with variable speed. I have a max speed and a min speed: Vmax and Vmin. The speed is always changing between Vmax and Vmin. I want to share the actual bandwidth (you don't not how much, you only know the speed is between Vmax and Vmin) for N clients. The bandwidth should be shared so nobody can get more bandwidth than the others. There is some queue disciplines like esfq and WRR (w. But theses ones only work if you know the actual bandwidth. HTB works only width fixed bandwidth too. I have studied all shaping and queue disciplines in linux, and I don't have a real solution yet. Do you have any idea? Santiago ------- End of Forwarded Message ------- -- Open WebMail Project (http://openwebmail.org) -- Este mensaje ha sido analizado por MailScanner en busca de virus y otros contenidos peligrosos, y se considera que est? limpio. MailScanner agradece a transtec Computers por su apoyo. From jaorani at gmail.com Wed Aug 29 20:12:09 2007 From: jaorani at gmail.com (Javier Ors) Date: Wed Aug 29 20:12:18 2007 Subject: [LARTC] How tho share varible bandwidth with weighted round robin In-Reply-To: <20070829160044.M8350@elportal.net.ec> References: <20070829154058.M78956@elportal.net.ec> <20070829160044.M8350@elportal.net.ec> Message-ID: > > There is some queue disciplines like esfq and WRR (w. But theses ones only > work if you know the actual bandwidth. As far as I undestand, at least sfq should work without knowing the actual bandwith (you don't need to specify it in the qdisc creation). The problem with it is that it only works in the bottleneck of the network, where the queues form, which is usually the machine which has the hardware that makes the connection to the Internet. For example in this configuration... Internet <--- cable/dsl/etc. ---> Router/Modem <---ethernet---> Firewall <---ethernet---->LAN shaping outgoing traffic (traffic to the internet) with only sfq, esfq, prio, etc... will be useless if it is done in the firewall, becouse the queues will form in the router. It could be done in the same router if it has the capability (for example, it runs Linux inside and it is accessible by ssh or telnet). I haven't tried WRR but the same should be applied. Theoretically, at least as I see it, HTB could also be used without knowing the actual speed in the bottleneck, you just should set the root class to a speed higher than Vmax and adjust the rates of the leaf classes to the desired ratios, or playing with the quantums so that it behaves like a WRR or DRR (which is that it uses internally when the classes are borrowing). But I have made many attempts in this sense and all of them have been unsuccessful, don't know why. For incoming traffic it is another story, it can be done in the firewall, but it is a little trickier. Even more theoretically, outgoing shaping maybe could be done also in the firewall if the router supports ECN, so that the queues could be formed in the firewall using this information without nedding to reduce the bandwith, but this is just a mental experiment which still have pending to brought to practice, so don't pay much attention to this... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070829/31ec5c67/attachment-0001.html From santiago at elportal.net.ec Wed Aug 29 23:06:58 2007 From: santiago at elportal.net.ec (Santiago) Date: Wed Aug 29 23:08:12 2007 Subject: [LARTC] How tho share varible bandwidth with weighted round robin In-Reply-To: References: <20070829154058.M78956@elportal.net.ec> <20070829160044.M8350@elportal.net.ec> Message-ID: <20070829204633.M41909@elportal.net.ec> I thought the same thing a year ago. ?You set an htb class bigger than Vmax in the output ethernet, the you can attach ?esfq or WRR (sfq only works with conecctions and I need to work with destination ip addresses). But it never works. ? Now I understand that if you set the class bigger than Vmax. The queue is always empty, and the qdisc is never used. ?You can adjust the htb class smaller than Vmin. Then you have a no-empty queue and the qdisc should work. But you are going to lose bandwidth if your ISP in sending to you a speed bigger than Vmin. ? Internet (Vmax-Vmin)------>Ethernet input Linux box--------->Ethernet output linux box----------->Some lan users The idea is all lan users get the same?bandwidth in any moment. Nobody can get more bandwidth than the others. Any other idea? Santiago On Wed, 29 Aug 2007 20:12:09 +0200, Javier Ors wrote > > > As far as I undestand, at least sfq should work without knowing the actual bandwith (you don't need to specify it in the qdisc creation). The problem with it is that it only works in the bottleneck of the network, where the queues form, which is usually the machine which has the hardware that makes the connection to the Internet. For example in this configuration... > > Internet <--- cable/dsl/etc. ---> Router/Modem <---ethernet---> Firewall <---ethernet---->LAN > > shaping outgoing traffic (traffic to the internet) with only sfq, esfq, prio, etc... will be useless if it is done in the firewall, becouse the queues will form in the router. It could be done in the same router if it has the capability (for example, it runs Linux inside and it is accessible by ssh or telnet). I haven't tried WRR but the same should be applied. > > Theoretically, at least as I see it, HTB could also be used without knowing the actual speed in the bottleneck, you just should set the root class to a speed higher than Vmax and adjust the rates of the leaf classes to the desired ratios, or playing with the quantums so that it behaves like a WRR or DRR (which is that it uses internally when the classes are borrowing). But I have made many attempts in this sense and all of them have been unsuccessful, don't know why. > > For incoming traffic it is another story, it can be done in the firewall, but it is a little trickier. > > Even more theoretically, outgoing shaping maybe could be done also in the firewall if the router supports ECN, so that the queues could be formed in the firewall using this information without nedding to reduce the bandwith, but this is just a mental experiment which still have pending to brought to practice, so don't pay much attention to this... > > -- > Este mensaje ha sido analizado por MailScanner > en busca de virus y otros contenidos peligrosos, > y se considera que est? limpio. > MailScanner agradece a transtec Computers por su apoyo. The original question: ?I have this problem: I have an Internet line input with variable speed. I have a max speed and a min speed: Vmax and Vmin. The speed is always changing between Vmax and Vmin. I want to share the actual bandwidth (you don't not how much, you only know the speed is between Vmax and Vmin) for N clients. The bandwidth should be shared so nobody can get more bandwidth than the others. There is some queue disciplines like esfq and WRR (w. But theses ones only work if you know the actual bandwidth. HTB works only width fixed bandwidth too. I have studied all shaping and queue disciplines in linux, and I don't have a real solution yet. Do you have any idea? Santiago -- Open WebMail Project (http://openwebmail.org) There is some queue disciplines like esfq and WRR (w. But theses ones only > work if you know the actual bandwidth. -- Este mensaje ha sido analizado por MailScanner en busca de virus y otros contenidos peligrosos, y se considera que est? limpio. MailScanner agradece a transtec Computers por su apoyo. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070829/d5180aad/attachment.htm From santiago at elportal.net.ec Wed Aug 29 23:18:35 2007 From: santiago at elportal.net.ec (Santiago) Date: Wed Aug 29 23:19:09 2007 Subject: [LARTC] How tho share varible bandwidth with weighted round robin In-Reply-To: References: <20070829154058.M78956@elportal.net.ec> <20070829160044.M8350@elportal.net.ec> Message-ID: <20070829211531.M24887@elportal.net.ec> I am interested in the incoming traffic (from Internet to lan users). This is the problem. On Wed, 29 Aug 2007 20:12:09 +0200, Javier Ors wrote > > > As far as I undestand, at least sfq should work without knowing the actual bandwith (you don't need to specify it in the qdisc creation). The problem with it is that it only works in the bottleneck of the network, where the queues form, which is usually the machine which has the hardware that makes the connection to the Internet. For example in this configuration... > > Internet <--- cable/dsl/etc. ---> Router/Modem <---ethernet---> Firewall <---ethernet---->LAN > > shaping outgoing traffic (traffic to the internet) with only sfq, esfq, prio, etc... will be useless if it is done in the firewall, becouse the queues will form in the router. It could be done in the same router if it has the capability (for example, it runs Linux inside and it is accessible by ssh or telnet). I haven't tried WRR but the same should be applied. > > Theoretically, at least as I see it, HTB could also be used without knowing the actual speed in the bottleneck, you just should set the root class to a speed higher than Vmax and adjust the rates of the leaf classes to the desired ratios, or playing with the quantums so that it behaves like a WRR or DRR (which is that it uses internally when the classes are borrowing). But I have made many attempts in this sense and all of them have been unsuccessful, don't know why. > > For incoming traffic it is another story, it can be done in the firewall, but it is a little trickier. > > Even more theoretically, outgoing shaping maybe could be done also in the firewall if the router supports ECN, so that the queues could be formed in the firewall using this information without nedding to reduce the bandwith, but this is just a mental experiment which still have pending to brought to practice, so don't pay much attention to this... > > -- > Este mensaje ha sido analizado por MailScanner > en busca de virus y otros contenidos peligrosos, > y se considera que est? limpio. > MailScanner agradece a transtec Computers por su apoyo. -- Open WebMail Project (http://openwebmail.org) There is some queue disciplines like esfq and WRR (w. But theses ones only > work if you know the actual bandwidth. -- Este mensaje ha sido analizado por MailScanner en busca de virus y otros contenidos peligrosos, y se considera que est? limpio. MailScanner agradece a transtec Computers por su apoyo. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070829/27ae3473/attachment.html From rangi at ngen.net.nz Thu Aug 30 03:50:59 2007 From: rangi at ngen.net.nz (Rangi Biddle) Date: Thu Aug 30 03:51:13 2007 Subject: [LARTC] Dead Gateway Detection & BGP In-Reply-To: <46D506C9.90506@riverviewtech.net> References: <00a101c7e806$adc89500$0959bf00$@net.nz> <46D2E2EA.3010803@riverviewtech.net> <46D3011D.1050709@riverviewtech.net> <46D38D55.9060201@vsnl.com> <46D506C9.90506@riverviewtech.net> Message-ID: <000901c7eaa8$384c5380$a8e4fa80$@net.nz> Hi Guys, Well here's my two cents worth regarding this whole thing. Firstly I can appreciate where Grant is coming from. There are a number of things that aren't so commonly done with Linux that the community currently doesn't provide answers for and obviously there are people out there that know how to do things that the community cannot answer. The issue I have with what Grant wants to provide (re: $1/min rate via email) is that I have no control over the amount of time that is spent writing an email or seeking answers to my questions meaning I could spend $100's if not $1,000's of dollars getting a partial answer (not implying that that would be the case), but is a point of concern. I myself have been an active supporter of OSS and have contributed code and answers to not so common questions or have gone out of my way to assist others. Unfortunately, in this instance, it is I that am seeking help and am now being asked to pay for an answer to my question. Sounds somewhat like visiting a shrink. In some instances, it doesn't quite surprise me that Linux isn't more mainstream and this being a primary example of it. If more of us knew how to do I believe Linux would become more mainstream because there are more of us available to actively support Linux systems which, as most of us are aware of, is the primary concern of most that purchase a Linux solution "Who is going to look after it if you're not here or available?". Bottom line is this, my boss refuses to pay someone that neither he nor I know. Primarily because this same person wants to provide a solution to us for an indeterminate price and if there is an issue at any point we are left with no way of knowing how to fix the issue and again be left with paying an indeterminate price for further support. What my boss is more happy to do is pay for a commercial solution regardless of price. It is mainly because he is aware of what he must pay before he purchases the solution and also because he knows that it will do what he wants including support if we have an issue. Obviously this would mean scrapping Linux out of the picture even with the amount of high regard I give to it. So Grant, I'll put the ball back in your court. Regards, Rangi -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Grant Taylor Sent: Wednesday, August 29, 2007 5:40 PM To: Mail List - Linux Advanced Routing and Traffic Control Subject: Re: [LARTC] Dead Gateway Detection & BGP On 8/27/2007 9:49 PM, Mohan Sundaram wrote: > Such a service is a much needed complement to forums to aid adoption > of FOSS. I was doing this for a fairly long while as a knowhow > provider. *nod* > There is a very thin line one needs to walk. Forums being used to > vend services is frowned upon, rightly so. It is the concept of free > sharing that gets violated. Even when I was a consultant, I used to > offer complete advice to forums simply because it gave me > satisfaction. I'd learnt a lot from the forums and this was my way of > returning the coin. Agreed. Normally I do tend to offer up the complete solution, especially if said solution or one very similar can be found elsewhere on the net with a bit of Googleing. However when the solution in question is that of something that was not readily available on the net and one that we spent a lot of time putting the puzzle pieces together we tend to hold on to some of it. > There is a definite need and opportunity. Reasonable is dependent on > a lot of factors and the same service yields different values to > different customers. Indeed. > My philosophy: I think it is definitely possible to differentiate > between personal time and company time. It is like social work. If > you do something on your personal time that does not eat into your > co's biz, I believe it is good to do so free. Even if you did do it > such, so long as you do not charge for it, I believe it is not > unethical. I'm not sure what you are trying to get at there. I think you are saying that if you do it as a personal time, then you probably should find some other sort of personal gratification. If you do it as company time then it is more understandable if it is charged for. Am I any where close? I can see how trolling a forum / news group looking for people asking questions and posting multiple follow up posts only saying "the company that I work for can provide you with a solution for X $s" is not so good. However if you are an active member of a forum / news group and offer advice and pointers in the right direction to the solution of the question and state that "the company I work for can probably help provide a more complete solution contact me if you are interested" is a bit different? I'm not trying to argue any thing here, just completely understand what you are saying and making sure that you understand what I'm saying (making sure that communications is happening both ways) while discussing this. Thank you for taking time to reply to my post. Grant. . . . _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.484 / Virus Database: 269.12.10/977 - Release Date: 8/28/2007 4:29 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.484 / Virus Database: 269.12.10/977 - Release Date: 8/28/2007 4:29 PM From gtaylor at riverviewtech.net Thu Aug 30 04:40:00 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Thu Aug 30 04:40:13 2007 Subject: [LARTC] Dead Gateway Detection & BGP In-Reply-To: <000901c7eaa8$384c5380$a8e4fa80$@net.nz> References: <00a101c7e806$adc89500$0959bf00$@net.nz> <46D2E2EA.3010803@riverviewtech.net> <46D3011D.1050709@riverviewtech.net> <46D38D55.9060201@vsnl.com> <46D506C9.90506@riverviewtech.net> <000901c7eaa8$384c5380$a8e4fa80$@net.nz> Message-ID: <46D62E00.20008@riverviewtech.net> On 8/29/2007 8:50 PM, Rangi Biddle wrote: > Firstly I can appreciate where Grant is coming from. There are a > number of things that aren't so commonly done with Linux that the > community currently doesn't provide answers for and obviously there > are people out there that know how to do things that the community > cannot answer. The issue I have with what Grant wants to provide > (re: $1/min rate via email) is that I have no control over the amount > of time that is spent writing an email or seeking answers to my > questions meaning I could spend $100's if not $1,000's of dollars > getting a partial answer (not implying that that would be the case), > but is a point of concern. I myself have been an active supporter of > OSS and have contributed code and answers to not so common questions > or have gone out of my way to assist others. Unfortunately, in this > instance, it is I that am seeking help and am now being asked to pay > for an answer to my question. Sounds somewhat like visiting a > shrink. In some instances, it doesn't quite surprise me that Linux > isn't more mainstream and this being a primary example of it. If > more of us knew how to do I believe Linux would > become more mainstream because there are more of us available to > actively support Linux systems which, as most of us are aware of, is > the primary concern of most that purchase a Linux solution "Who is > going to look after it if you're not here or available?". With regards to the amount of time spent on the email(s), I had indicated that I expected to spend between 30 minutes and 180 minutes total helping. Usually it takes me about 15 minutes or so to draft a detailed email and re-reading / editing it before I send it. Indeed there are a lot of short one liners that take all of 30 seconds to send too. So, I don't think that there is concern with spending any ware near $1,000's of dollars. Even after all was said and done, I would probably negotiate with you to make sure that what I initially proposed to you (or any one else for that matter) was mutually fair, if any thing erroring on the low side to make sure that things were fair. I'm sorry for even remotely making you feel as if you have to pay for an answer to your question(s), I was not trying to imply that at all. At the time that I had wrote that I was dealing with a particularly difficult problem that I had just spent numerous hours of my personal / company time (distinctions are *VERY* gray seeing as how my job is the same thing as my hobby). I would have happily payed what I considered to be a nominal rate to be able to talk with someone about what I was wanting to accomplish rather than working all those hours. Look for a follow up email to your original post with more of an answer to your question shortly. At least it will contain what I would us to achieve what you are wanting to do, in so far as the logical blocks to your problem, not specific configuration instructions, which I leave up to an exercise for an educated person (being any one that can read readme files and think logically about networking and run a compiler). With contrast if I was doing this for a client as I had initially offered I would most likely end up giving much closer to step by step instructions including how to configure what interface and what MAC address to put where rather than leaving it up to said educated individual. > Bottom line is this, my boss refuses to pay someone that neither he > nor I know. Primarily because this same person wants to provide a > solution to us for an indeterminate price and if there is an issue at > any point we are left with no way of knowing how to fix the issue and > again be left with paying an indeterminate price for further support. > What my boss is more happy to do is pay for a commercial solution > regardless of price. It is mainly because he is aware of what he > must pay before he purchases the solution and also because he knows > that it will do what he wants including support if we have an issue. > Obviously this would mean scrapping Linux out of the picture even > with the amount of high regard I give to it. Ah, I think there is some more ambiguity showing through there. I can completely understand you and your bosses lack of willingness to blindly enter in to a business arrangement. First keep in mind that what was originally discussed / proposed is not a contractual agreement, simply and invitation to discuss things further to see if each party would be interested in doing business. More of a "Hay, here is what I can do, call me if you would like more details." type thing. With regards to the indeterminate amount, to me that is not as much as an issue that some might think at present because I do not know the true nature of what you are trying to accomplish nor have you heard my follow up responses that may provide a much better over all solution. Once we had spoken and discussed such things there would be a much more firm estimate and / or range of expected time to do what ever as well as check points that either side of the agreement could back out gracefully with as little egg on their face as possible. As far as being worried that some consultant would come in and change things with out your knowledge (of the reasoning behind the change) or consent, in short "That would *NEVER* happen!" as it is quite simply unethical. Myself and my company would much rather help educate you along the way so that you can make the changes your self thus learn what needed to be done and why and how it effects things. Thus you would be the one doing the work while knowing how to do it and how to support it in the long run. I see my (companies) role in this as a guiding hand pointing you in the right direction and as a sounding board to discuss what really is the proper thing to do. That is not to say that I would not be willing to log in to systems and make change, though there would have to be a very well established relationship prior to any thing remotely like that. I would much rather help educate you so that you can do things your self. I personally would hate to see you have to scrap Linux or any other open source solution just because your company does not have the in house knowledge set to take full advantage of open source software. > So Grant, I'll put the ball back in your court. I apologize if the first pitch seemed to be a curve and / or knuckle ball. I was more going after a slow pitch softball with a note saying that I could offer more tailored support out side of the scope of this mailing list verses the more generic support that is usually found here. I.e. what we would do off mailing list would include me having a fuller understanding of your network structure including host names and interface configurations so that all communications can use such information to be as thorough as possible verses the "System A" and "System B" approach which is left open to so much interpretation. Please let me know what you think of this (hopefully) underhanded slow pitch softball. ;) > Regards, Likewise. Grant. . . . From gtaylor at riverviewtech.net Thu Aug 30 05:58:46 2007 From: gtaylor at riverviewtech.net (Grant Taylor) Date: Thu Aug 30 05:59:07 2007 Subject: [LARTC] Dead Gateway Detection & BGP In-Reply-To: <00a101c7e806$adc89500$0959bf00$@net.nz> References: <00a101c7e806$adc89500$0959bf00$@net.nz> Message-ID: <46D64076.9050807@riverviewtech.net> (Before any one questions why I withheld information and went down the road that I did, I'd like to say that I had fully intended to respond with more detail, however other things going on both at work and home prevented me from doing so before now. I also sort of paused because of the discussion that arose out of the road that I did go down.) On 8/26/2007 12:29 PM, Rangi Biddle wrote: > +-----------------+ > | Uplink Provider | > +--------+--------+ > | > +---------+---------+ > | | > +-------+-------+ +-------+-------+ > | Cisco Router | | Cisco Router | > +-------+-------+ +-------+-------+ > | | > +-------+-------+ +-------+-------+ > | Firewall # 1 | | Firewall # 2 | > +---------------+ +-------+-------+ > > Initially, the first task I was designated was to setup BGP routing > on 2 firewalls. Each firewall is connected to its own Cisco router > provided by the uplink provider and the uplink provider is only > providing a default gateway/router to each of the firewalls. Now, > having had minimal experience with BGP (minimal in terms of the > broadness of what is possible with BGP) and using the information > provided by the uplink provider I have setup BGP. Question: - Are there multiple providers in this situation or one single provider that has chosen to do this type of set up. - If there are multiple providers, are they in any sort of peering relationship between them? - Is there suppose to be any sort of redundancy amongst the two Cisco routers or are they to be two purely independent non redundant connections? - What type of connections are there in to the two Cisco routers? - Are the Cisco routers actually routing, or just bridging between two layer 1 technologies? - Is ethernet being used between the Cisco routers and the Debian firewalls? - What type of (if any) IP address range overlap are we looking at? Answers to each of these questions will most likely beget more questions until finally a much clearer picture of what ultimately is being done emerges. This is also part of why I was wanting to do this off mailing list as some of these answers are not appropriate for a public form that is archived and search able. > What I have been recently informed of is that the 2 firewalls must do > some sort of failover between them when either of the default > gateway?s are no longer responsive. I had initially looked into > using heartbeat (which I am still considering) to do the failover or > possibly using vrrpd (Virtual Router Redundancy Protocol Daemon). > This however isn?t what I am contacting this list about. What I need > to do at minimal, is at least for the failover, is to detect when the > default gateway of (say) firewall 1 is no longer available and > perform failover to firewall 2 and vice versa. As far as I am aware > the only DGD support available is still through the patches that > Julian Anastasov wrote for the 2.4 kernel series or by writing a > script that uses arping to determine the last hop available. Hum. I'm not entirely sure what is suppose to be redundant here, the Cisco routers, the Debian firewalls, a logical router (or routers) that are presented to your systems behind the firewalls, what. Will you please clarify? > What other options are there? More than you might initially think. > I have done a fair amount of searching the internet only to come back > to these 2 possibilities. Surely there must be something else ?. Well, in my opinion, what you have proposed is a couple of different solutions to the same piece of the puzzle. Presuming that you are dealing with T-1s from your provider(s), let's start with a modified version of your above network layout. +-----------------+ | Uplink Provider | +--------+--------+ | +---------+---------+ | | +-------+-------+ +-------+-------+ | Atlas 550 +---+ Atlas 550 | +-------+---+---+ +---+---+-------+ | | | | | \ / | | \ / | | \ / | | \ / | | \ / | | X | | / \ | | / \ | | / \ | | / \ | | / \ | | | | | +-------+---+---+ +---+---+-------+ | Cisco Router +---+ Cisco Router | +-------+---+---+ +---+---+-------+ | | | | | \ / | | \ / | | \ / | | \ / | | \ / | | X | | / \ | | / \ | | / \ | | / \ | | / \ | | | | | +-------+---+---+ +---+---+-------+ | Switch +---+ Switch | +-------+---+---+ +---+---+-------+ | | | | | \ / | | \ / | | \ / | | \ / | | \ / | | X | | / \ | | / \ | | / \ | | / \ | | / \ | | | | | +-------+---+---+ +---+---+-------+ | Firewall # 1 +---+ Firewall # 2 | +-------+---+---+ +---+---+-------+ | | | | | \ / | | \ / | | \ / | | \ / | | \ / | | X | | / \ | | / \ | | / \ | | / \ | | / \ | | | | | +-------+---+---+ +---+---+-------+ | Switch +---+ Switch | +-------+-------+ +-------+-------+ | | ...--+--...--(LAN)--...--+--... Now that the ASCII art is out of the way, let's have some explanation as to what each piece of the puzzle is for. Physical Layer -------------- The "Atlas 550"s are devices to switch / route T-1 on a phone company / circuit level. In other words they can take a T-1 in and give a T-1 out based on different conditions with in the circuit on a given interface. In short the Atlas 550 will allow you to route an inbound T-1 the primary interface if the equipment that the primary interface is connected to is up and handling traffic. If the equipment that the primary interface connected to is not up and handling traffic route the T-1 out the secondary interface. If for some reason the equipment that the secondary interface is connected to is not handling traffic route the T-1 out the tertiary interface to the backup Atlas in hopes that the cabling between the original Atlas and the primary and secondary equipment is down and that the backup Atlas has functioning cable. The Cisco routers are similarly configured with two T-1 WICs each so that each can connect to both Atlas 550s. Also there is a similar setup between the Cisco routers and the ethernet switches and each other. Likewise the switches have a similar set up to connect to the firewall boxen as well as the firewall boxen do to the internal LAN switch(es). Data Layer ---------- Each Atlas 550s can redundantly route their inbound T-1 to two different routers configured redundantly for each other or to the other Atlas 550. Each Cisco router can redundantly route their inbound T-1s to two different switches configured redundantly for each other or to the other router. Each switch can redundantly switch their inbound network segments to two different firewalls configured redundantly for each other or to the other switch. Each firewall can redundantly filter their inbound network segments to two different switches configured redundantly for each other or to the other firewall. Each switch can redundantly switch their inbound network segment to the internal LAN or to the other switch. Network Layer ------------- Each Atlas 550 would be configured to be able to handle the others T-1 in the event that the other is unable to reach its desired router. Each Cisco router would be configured to be able to handle the other routers circuit in addition to its own circuit, thus you could have a Cisco router die with out adversely effecting your network. If I could, I would probably use HSRP or VRRP between the Cisco routers so that they could be redundant for each other. Each switch is used for basic network connectivity allowing for more intermediary equipment. If this is the only equipment you are going t have you could take the core switches out of the mix and go from the Cisco routers straight in to the firewalls. However these switches will allow for more future expansion and other options down the road. For example, either of the switches, if managed, would allow you to mirror traffic from one port to another for sniffing. Each firewall would be able to filter traffic for its primary circuit as well as backup filter for the other firewalls backup circuit. I would use VRRP to allow multiple physical firewalls to be redundant for each others IP address. For example, make firewall A be primary for IP 1 and secondary for IP 2 while making firewall B be primary for IP 2 and secondary for IP 1. Thus each firewall is redundant on its WAN facing side. Do something similar for the LAN facing side. If you decide that one connection from your provider is primary and the other is backup, you could route inbound traffic through one firewall while routing outbound traffic through the other firewall for load balancing / distribution reasons. If you have the ethernet switches in place you could even insert a third firewall ans an inactive backup system to be used if either of the primary systems go down. I would recommend that you use ConnTrackd to synchronize the firewall state between the two (or more) firewalls. Each switch is used to allow connectivity between the two (or more) firewalls with the internal LAN. As you can see there really is not a single point of failure between where the provider leaves off and the workstations pick up. > Thanks in advance to anyone that replies as I know that this topic > seems to be coming up more and more frequently on the lists and must > be getting somewhat tedious for most. *nod* > Regards, *nod* Chew on this and let me know what you think. Grant. . . . From jaorani at gmail.com Thu Aug 30 10:32:39 2007 From: jaorani at gmail.com (Javier Ors) Date: Thu Aug 30 10:33:38 2007 Subject: [LARTC] How tho share varible bandwidth with weighted round robin In-Reply-To: <20070829211531.M24887@elportal.net.ec> References: <20070829154058.M78956@elportal.net.ec> <20070829160044.M8350@elportal.net.ec> <20070829211531.M24887@elportal.net.ec> Message-ID: > > I am interested in the incoming traffic (from Internet to lan users). > This is the problem. > Then there is no possibility to change the shaping to the bottleneck, as long as it is in the ISP routers. So you have to artificially create it in order to have a queue you can shape. There's only two ways you can achive this, either you can: a) Reduce the speed, the one you already know but are not happy with. b) Increase the delay, you could achive the queue just introducing a fixed delay to every packet that goes to the LAN. There is a qdisc called 'netem' that can do this, in principle it is only intended for emulating and testing, but it also can be used for this purpose (online gamers will not be very happy with this solution). I don't know if there is any other queuing discipline that can achive this or if it is not good to do this for some technical reason. Maybe it could be possible not to penalize neither speed or delay using some kind of advanced solution that monitors how much bandwith is consuming each host and penalize only the hosts that are taking some % more than the average, or % more than totalacutalspeed/N. But it will be very compilcated as long as when a host is below the average you don't know whether it is for congestion or just becouse it is not making intensive use of the net. Good luck, and remember that for incomming traffic you can only shape TCP connections, it has no sense dropping UDP packets as long as they have no speed regulating mechanism, and once you have recive them the bandwith has already been wasted. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070830/49d9b791/attachment.htm From jaorani at gmail.com Thu Aug 30 10:32:39 2007 From: jaorani at gmail.com (Javier Ors) Date: Thu Aug 30 10:33:53 2007 Subject: [LARTC] How tho share varible bandwidth with weighted round robin In-Reply-To: <20070829211531.M24887@elportal.net.ec> References: <20070829154058.M78956@elportal.net.ec> <20070829160044.M8350@elportal.net.ec> <20070829211531.M24887@elportal.net.ec> Message-ID: > > I am interested in the incoming traffic (from Internet to lan users). > This is the problem. > Then there is no possibility to change the shaping to the bottleneck, as long as it is in the ISP routers. So you have to artificially create it in order to have a queue you can shape. There's only two ways you can achive this, either you can: a) Reduce the speed, the one you already know but are not happy with. b) Increase the delay, you could achive the queue just introducing a fixed delay to every packet that goes to the LAN. There is a qdisc called 'netem' that can do this, in principle it is only intended for emulating and testing, but it also can be used for this purpose (online gamers will not be very happy with this solution). I don't know if there is any other queuing discipline that can achive this or if it is not good to do this for some technical reason. Maybe it could be possible not to penalize neither speed or delay using some kind of advanced solution that monitors how much bandwith is consuming each host and penalize only the hosts that are taking some % more than the average, or % more than totalacutalspeed/N. But it will be very compilcated as long as when a host is below the average you don't know whether it is for congestion or just becouse it is not making intensive use of the net. Good luck, and remember that for incomming traffic you can only shape TCP connections, it has no sense dropping UDP packets as long as they have no speed regulating mechanism, and once you have recive them the bandwith has already been wasted. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070830/49d9b791/attachment.html From lists at andyfurniss.entadsl.com Thu Aug 30 16:32:59 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Thu Aug 30 16:32:45 2007 Subject: [LARTC] subdivide 64 kbit bandwidth 32kbit for WWW and 32 Kbit for mail In-Reply-To: <7ed6b0aa0708282347n73b0860dsba8ae007a21a0d64@mail.gmail.com> References: <7ed6b0aa0708240148t7d55e830ke1c7bcf63a4ce219@mail.gmail.com> <46D36B69.7080509@andyfurniss.entadsl.com> <7ed6b0aa0708282347n73b0860dsba8ae007a21a0d64@mail.gmail.com> Message-ID: <46D6D51B.7040201@andyfurniss.entadsl.com> Indunil Jayasooriya wrote: > Server only acts as a mail server and a proxy server. in addition to that, I > ssh to that server from LAN. from that server too, I ssh to some servers. > And also, I make ping to that server rom LAN. Again, from that server I make > ping to other servers. That's it. > > LAN users actualy browse internet and send and recieve mails via DMZ > proxy server and Mail server. No other traffic. > > Thanks for you comments. Hope to hear from you. I think the easiest way would be to make some netfilter rules to mark traffic coming in on eth0 and going out on eth1, and then make filters to match the marks. You could do it with just tc filters, but it's easier to write using iptables. Something like (just an example - you may want to be more specific with the rules/add more and debug them!) iptables -t mangle -A FORWARD -i eth0 -o eth1 -p tcp -m length --length 128: -j MARK --set-mark 3 So tcp from internet to dmz bigger than 128 gets mark 3 iptables -t mangle -A FORWARD -i eth0 -o eth1 -p tcp --dport 25 -m mark --mark 3 -j MARK --set-mark 2 big mail packets remarked to 2 so I am just assuming other big tcp is www iptables -t mangle -A FORWARD -i eth0 -o eth1 -m mark --mark 0 -j MARK --set-mark 1 Anything else unmarked form internet to dmz gets mark 1 tc qdisc del dev eth1 root &>/dev/null tc qdisc add dev eth1 root handle 1:0 htb tc class add dev eth1 parent 1:0 classid 1:1 htb rate 64kbit quantum 1514 tc class add dev eth1 parent 1:1 classid 1:10 htb rate 44kbit ceil 64kbit quantum 1514 prio 0 tc qdisc add dev eth1 parent 1:10 handle 10: bfifo limit 64k tc filter add dev eth1 parent 1:0 prio 1 protocol ip handle 1 fw flowid 1:10 tc class add dev eth1 parent 1:1 classid 1:20 htb rate 10kbit ceil 64kbit quantum 1514 prio 1 tc qdisc add dev eth1 parent 1:20 handle 20: sfq perturb 10 limit 10 tc filter add dev eth1 parent 1:0 prio 2 protocol ip handle 2 fw flowid 1:20 tc class add dev eth1 parent 1:1 classid 1:30 htb rate 10kbit ceil 64kbit quantum 1514 prio 1 tc qdisc add dev eth1 parent 1:30 handle 30: sfq perturb 10 limit 10 tc filter add dev eth1 parent 1:0 prio 3 protocol ip handle 3 fw flowid 1:30 This is just an untested example - I don't even run a mail server/proxy. You could, I suppose use sfq instead of bfifo for the small/non tcp class to help if you get flooded with syns or something. I gave it a higher rate even though it shouldn't have much traffic because htb seems to give better latency that way. The 10 packet limit on sfqs will cause drops, but should help keep latency low, but you may want to test and increase it. If you don't already shape on egress I would at least do something like the above so that sending big mail doesn't lag out the connection. Just making big tcp second class with sfq will stop DNS getting delayed by a backlogged link. Andy. From alijawad1 at gmail.com Thu Aug 30 16:45:38 2007 From: alijawad1 at gmail.com (Ali Jawad) Date: Thu Aug 30 16:45:47 2007 Subject: [LARTC] Priotirize SSH Traffic Message-ID: Hi All I am currently learning traffic shapping and I need a script that does prioritize SSH traffic on my debian router. My Internet interface is eth1 My Lan interface is eth0 My Internet connection is 256 kbit/s down and 128 kbit per second up. I hope someone does have a well documented (or maybe not so documented) example on which I can build further rules as needed. Thx All. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070830/8eeb146b/attachment.htm From vdautrem at ulb.ac.be Thu Aug 30 16:59:56 2007 From: vdautrem at ulb.ac.be (Vincent Dautremont) Date: Thu Aug 30 17:00:05 2007 Subject: Fwd: [LARTC] Priotirize SSH Traffic References: <5B0881D9-BAB7-4573-AAD8-A4100EC2D677@ulb.ac.be> Message-ID: <87BE0C2D-7AD9-49CC-8AEB-BFCC93E2E68E@ulb.ac.be> oops, i forgot to reply to the list :-/ D?but du message r?exp?di? : > De : Vincent Dautremont > Date : 30 ao?t 2007 16:58:26 GMT+02:00 > ? : Ali Jawad > Objet : R?p : [LARTC] Priotirize SSH Traffic > > try that > #tc qdisc add dev eth0 root handle1: prio > # tc filter add dev eth0 protocol ip parent 1: prio 1 u32 match ip > dport 22 0xffff flowid 1:1 > # tc filter add dev eth0 protocol ip parent 1: prio 2 u32 match u32 > 0 0 flowid 1:2 > 1st command create a queuing discipling with a priority queuing. > 2nd command, say to give first priority to packets that have > destination port number 22 (standard ssh port). > 3rd command, say to default traffic to have priority number 2. > > you should just have to change eth0 if you are using another > netword device, but you should already know that. > Vincent. > > Le 30 ao?t 07 ? 16:45, Ali Jawad a ?crit : > >> Hi All >> I am currently learning traffic shapping and I need a script that >> does prioritize SSH traffic on my debian router. >> >> My Internet interface is eth1 >> My Lan interface is eth0 >> >> My Internet connection is 256 kbit/s down and 128 kbit per second up. >> >> I hope someone does have a well documented (or maybe not so >> documented) example on which I can build further rules as needed. >> >> Thx All. >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070830/a57dde00/attachment.html From lists at andyfurniss.entadsl.com Thu Aug 30 18:02:28 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Thu Aug 30 18:02:10 2007 Subject: [LARTC] Help about a QoS configuration In-Reply-To: References: <46D483B0.2040008@andyfurniss.entadsl.com> Message-ID: <46D6EA14.5050106@andyfurniss.entadsl.com> Javier Ors wrote: > Very interesting information, anyway I think that I'll not need to do this, > (I don't even think I can, patching the kernel and the iproute2 that run on > the embedded system in the router, bufff...) > Hopefully, I have found a simple solution that can achive the proposed > goals... It still need further testing, but I think it'll work. I post it > here, maybe someone else could be interested. Ahh OK embedded. There may be hope then. I know that TI AR7 based routers don't have a buffer beyond the device. The one I tested didn't have any qdiscs built in apart from TIs prio/wrr, but it did work without any rate limiting. The buffer that I was talking about would not have been the 100 txqueuelen, but would have filled up before any packets got queued in that. > > This is what I've tested so far: > > prio qdisc > | > -------------------------- > | | > lower prio higher prio > | | > pfifo htb* > | limit 60KB/s > | | > p2p ftp > > *(tbf could also have been used for this simple test) > > The results of this test were succesfull. I mean, with only the p2p the line > was running al full saturation speed, when I started to use the ftp it > reached the 60KB/s limit without problems with p2p taking the rest of the > line, wich never stopped working at full speed. > Given this results, I think that the following scheme will work like a > charm... > Was latency OK? If you can put a simple prio on the device with ICMP (and I suppose arp to be safe since your connection is bridged) to high band and all other to low, flood it with data and you still get good latency then there isn't much of a buffer beyond the device. > prio qdisc > | > ------------------------------------------------------ > | | | > low priority medium priority high priority > | | | > sfq htb pfifo > | dynamic limit | > | | | > p2p ftp, web, mail... small ACK's, ICMP, ssh... > As you told me, I think that I can make a script that constantly checks the > top speed on the prio (which will allways be saturated due to the p2p), and > adjust the htb limit to some % of it, or substracting a fixed quantity (the > quantity that will rest for the p2p when running ftp at full speed, which is > what I wated to achieve in the beginning). I hope it'll work... Yes I suppose that should be OK as long as the % wasn't too high. Andy. From tenos at ll.mit.edu Thu Aug 30 18:25:42 2007 From: tenos at ll.mit.edu (Tim Enos) Date: Thu Aug 30 18:26:12 2007 Subject: [LARTC] Priotirize SSH Traffic In-Reply-To: <87BE0C2D-7AD9-49CC-8AEB-BFCC93E2E68E@ulb.ac.be> Message-ID: <200708301626.l7UGQ5RK025746@ll.mit.edu> That script you included looks good, but it would be placed on eth1 (egress interface). The commands you included treats outbound, not inbound traffic. Generally speaking it's best to mark traffic as close to the source as Possible (e.g. as it enters a DS domain). Thinking only about SSH sessions initiated from his LAN, placing a single 'ip tables' line on eth0 which (re)marks _incoming_ SSH traffic would seem the way to go. _For_ _example_ _only_, you might remark SSH to have DSCP AF23, then have a simple prio map on the egress which places such traffic in the topmost queue. > -----Original Message----- > From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] > On Behalf Of Vincent Dautremont > Sent: Thursday, August 30, 2007 11:00 AM > To: lartc@mailman.ds9a.nl > Subject: Fwd: [LARTC] Priotirize SSH Traffic > > oops, i forgot to reply to the list :-/ > > > D?but du message r?exp?di? : > > > De : Vincent Dautremont > Date : 30 ao?t 2007 16:58:26 GMT+02:00 > ? : Ali Jawad > Objet : R?p : [LARTC] Priotirize SSH Traffic > > try that > #tc qdisc add dev eth0 root handle1: prio > # tc filter add dev eth0 protocol ip parent 1: prio 1 u32 match ip > dport 22 0xffff flowid 1:1 > # tc filter add dev eth0 protocol ip parent 1: prio 2 u32 match u32 > 0 0 flowid 1:2 > 1st command create a queuing discipling with a priority queuing. > 2nd command, say to give first priority to packets that have > destination port number 22 (standard ssh port). > 3rd command, say to default traffic to have priority number 2. > > you should just have to change eth0 if you are using another netword > device, but you should already know that. > Vincent. > > Le 30 ao?t 07 ? 16:45, Ali Jawad a ?crit : > > > Hi All > I am currently learning traffic shapping and I need a script > that does prioritize SSH traffic on my debian router. > > My Internet interface is eth1 > My Lan interface is eth0 > > My Internet connection is 256 kbit/s down and 128 kbit per > second up. > > I hope someone does have a well documented (or maybe not so > documented) example on which I can build further rules as needed. > > Thx All. > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From lists at andyfurniss.entadsl.com Thu Aug 30 19:54:37 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Thu Aug 30 19:54:17 2007 Subject: [LARTC] tc not matching In-Reply-To: <46D5843C.6020606@bristol.ac.uk> References: <46D5843C.6020606@bristol.ac.uk> Message-ID: <46D7045D.6080407@andyfurniss.entadsl.com> Jonathan Gazeley wrote: > Dear all, > > I'm having real problems getting tc to do anything useful at all. I'm > also under pressure to get this fixed before the students start arriving > later this month (I work in a university). > > In short, I want each IP address to be hard limited to 128kbit down, > 64kbit up, never to be allowed more bandwidth than this. It is also > important that the latency remains reasonably low - maybe this implies a > need to apply some sort of traffic filtering and classifying. I did > manage to get a script semi-working but as soon as any decent bandwidth > started flowing on the connection, the latency jumped up to >4000ms. > > I tried to change my script to make it more classful and intelligent but > I ended up breaking it and now it doesn't work at all. (Upon execution, > I get '172.19.123.254 Illegal "match"') I'm inexperienced with tc so I > don't really know the best way to design such a system as this. I also > struggle with the tc syntax. I only know what I need the end result to be. > > I'd be very grateful if anyone could lend a hand to help me get this > working in time for the start of term. I've attached my script at the > end of this email. I've never used cbq so don't know how well it will do this, maybe htb would be better. maybe hfsc better still. I don't know why you need /4 for the policers, perhaps if you tested on a lan with a short buffer like 10k you were seeing the rate before the drops or something. TCP doesn't much like policers with LAN latency and short burst - it's not so bad with WAN latency, but if you have a 100meg to JANET maybe your WAN latency can be quite low aswell. If you have a multicore/smp CPU you shouldn't use CPU as a clocksource. You need a - tc qdisc del dev $LAN ingress > # Create root class for 100mbit interface - total traffic can't exceed this If you have a 100meg nic then 100mbit here is a bit high as the 100mbit line rate includes overheads not seen by TC. > tc filter add dev $LAN parent 1: protocol ip prio 11 u32 match ip > protocol 1 0xff flowid 1:$total match ip protocol 6 0xff match u8 0x05 > 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid > 1:$total This is the problem giving the error it looks like two rules but one got partially deleted and lost the newline. tc filter add dev $LAN parent 1: protocol ip prio 11 u32 match ip protocol 1 0xff flowid 1:$total tc filter add dev $LAN parent 1: protocol ip prio 11 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid 1:$total They look redundant to me in this setup, though as you already filter by ip address to 1:$total, so to do anything useful ICMP and and small tcp+whatever the otherbits match would need to go to different classes. I would include UDP as interactive aswell, though there are exeptions, but it shouldn't matter if you keep it within each users. If I have time later I'll test how I would do it. Andy. From vadtec at vadtec.net Fri Aug 31 01:55:25 2007 From: vadtec at vadtec.net (Vadtec) Date: Fri Aug 31 01:55:39 2007 Subject: [LARTC] Question about how TC enforces bandwidth limiting Message-ID: <46D758ED.2030705@vadtec.net> Hello, I run one of my PCs as my personal router, with iptables+tc to control traffic and be my firewall. In TC, I use a combination of htb, qdisc and sfq (as well as prio) to classify bandwidth. In my current setup, I have 10 classifications of my bandwidth. (Even I admit this is probably more than I need, but at this point I'm still learning, so I'll just leave them be.) This leads me to my question about how TC enforces maximum bandwidth limits. I am on DSL internet with rates 1.5Mbps/384kbps. I do not make complete use of my pipe just in case of a massive burst. I know I will probably not burst such a massive burst, but its better to be safe than sorry. To help understand this, here are the classes and their associated bandwidths as I have them set in TC: (MAX_RATE is 360kbps) $TC qdisc add dev $IFext root handle 1: htb default 90 $TC class add dev $IFext parent 1: classid 1:1 htb rate $MAX_RATE quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:10 htb rate 240kbps ceil $MAX_RATE prio 0 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:20 htb rate 192kbps ceil $MAX_RATE prio 1 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:30 htb rate 80kbps ceil $MAX_RATE prio 2 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:40 htb rate 64kbps ceil $MAX_RATE prio 3 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:50 htb rate 32kbps ceil $MAX_RATE prio 4 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:60 htb rate 20kbps ceil $MAX_RATE prio 5 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:70 htb rate 16kbps ceil $MAX_RATE prio 6 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:80 htb rate 8kbps ceil $MAX_RATE prio 7 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:90 htb rate 2kbps ceil $MAX_RATE prio 8 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:100 htb rate 2kbps ceil 20kbps prio 9 quantum $QUANTUM $TC qdisc add dev $IFext parent 1:10 handle 10: sfq perturb 10 $TC qdisc add dev $IFext parent 1:20 handle 20: sfq perturb 10 $TC qdisc add dev $IFext parent 1:30 handle 30: sfq perturb 10 $TC qdisc add dev $IFext parent 1:40 handle 40: sfq perturb 10 $TC qdisc add dev $IFext parent 1:50 handle 50: sfq perturb 10 $TC qdisc add dev $IFext parent 1:60 handle 60: sfq perturb 10 $TC qdisc add dev $IFext parent 1:70 handle 70: sfq perturb 10 $TC qdisc add dev $IFext parent 1:80 handle 80: sfq perturb 10 $TC qdisc add dev $IFext parent 1:90 handle 90: sfq perturb 10 $TC qdisc add dev $IFext parent 1:100 handle 100: sfq perturb 10 Class 90 is the default. Class 100 is a special class, and what my question specifically relates to. Class 100 is for bit torrent. I do not like the other people in my house using very much bandwidth for torrenting as it has a tendency to slow things down to greatly. The problem I have is this: when I disable a given torrent clients upload limits, the bandwidth climbs to above the 20kbps limit I have set for it. When I classify the traffic in iptables, i put it into class 100, so it shouldn't getting put into the default class. While I understand how/why TC enforces minimum bandwidth for a given class, why is it that for class 100 TC is not enforcing the cap of 20kbps to traffic that it is classified at? Is there something else I need to do to make TC also enforce arbitrary maximum limits for a given classification? Vadtec From jaorani at gmail.com Fri Aug 31 03:33:08 2007 From: jaorani at gmail.com (Javier Ors) Date: Fri Aug 31 03:33:19 2007 Subject: [LARTC] Help about a QoS configuration In-Reply-To: <46D6EA14.5050106@andyfurniss.entadsl.com> References: <46D483B0.2040008@andyfurniss.entadsl.com> <46D6EA14.5050106@andyfurniss.entadsl.com> Message-ID: > Ahh OK embedded. There may be hope then. I know that TI AR7 based > routers don't have a buffer beyond the device. The one I tested didn't > have any qdiscs built in apart from TIs prio/wrr, but it did work > without any rate limiting. Then I am a lucky guy, this is mine: http://wiki.openwrt.org/OpenWrtDocs/Hardware/D-Link/DSL-G624T I didn't looked for it, it was just the one that the ISP gave to me with the connection. I was quite surprised when I realized that it was ssh-accesible, and even more when I checked that it has htb, cbq, sfq, prio, and even red with ecn. It seems that I recieved a good machine after all. As you see they are trying to port OpenWrt to it, if they got it maybe it'll be possible to apply russell's patches. The buffer that I was talking about would not have been the 100 > txqueuelen, but would have filled up before any packets got queued in > that. > Was latency OK? If you can put a simple prio on the device with ICMP > (and I suppose arp to be safe since your connection is bridged) to high > band and all other to low, flood it with data and you still get good > latency then there isn't much of a buffer beyond the device. Thanks again for all the info, luckily it's not the case, the latency is no more penalized than 20 ms in this situation, so it's ok, no buffers. Just a question anyway...let's suppose that we have big buffers in the device and this penalize the latency, Would this buffers also prevent from shaping with a simple prio? As I undertand, they shoudn't as long as any packet gets dropped between the qdisc and the device buffers, they would just fill up and then the queue would propagate to the qdisc, where the packet drop and the shaping should be done. Is this not the case for all drivers/interfaces? > Yes I suppose that should be OK as long as the % wasn't too high. > I have also observed this behaviour but I hardly undertand it. HTB works well only if you set a rate some % smaller than the congestion rate, then when you see tc -s class show, all the classes have relatively large queues (backlogged packets), and the shaping is smooth. But if you set the rate closer to the congestion rate (or higher) then you start to see empty queues in the classes and/or with few backlogged packets. I can undertand this happening in a LAN, but not in the adsl modem interface, theoretically the interface won't dequeue packets at a higer rate that it can send them. So the queues should form anyway in the classes whatever high rate you set to the root class... Otherwise neither HTB nor the prio class would work without rate limiting (like in a LAN), so I don't understand why in this case it works for the prio but not for HTB. Thanks again for your help and time, and please don't feel forced to answer. I can live with this doubts, it's not a matter of life or death... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070831/ac6df3b6/attachment.htm From lists at andyfurniss.entadsl.com Fri Aug 31 03:34:04 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Aug 31 03:33:43 2007 Subject: [LARTC] tc not matching In-Reply-To: <46D7045D.6080407@andyfurniss.entadsl.com> References: <46D5843C.6020606@bristol.ac.uk> <46D7045D.6080407@andyfurniss.entadsl.com> Message-ID: <46D7700C.4050105@andyfurniss.entadsl.com> Andy Furniss wrote: > If I have time later I'll test how I would do it. I managed to have a play - CBQ doesn't seem too accurate it let netperf get throughput of about 180kbit. HTB was OK so I used that. Below is what I tested - I wouldn't consider it finished because it would probably be nicer to have SFQs on the bulk classes and something shorter on the interactives. I don't know how much memory this does/could use, if you don't specify child qdiscs htb uses pfifos with a length taken from txqueuelen (1000 on eth) so that adds up to quite a bit. With window scaling on and a netperf running for each IP I managed to backlog >200 packets on each. Rather than police you could, if using recentish 2.6 use ifb and have the same setup on ingress eth0. Or if you don't do nat on the same box on the wan. If you do do nat and don't have ifb then you need to use netfilter to mark by ip and match the marks. If the hosts are wireless, then there may be other ways to make things better - not that I have wireless myself, but if there is much packet loss I always thought it would be better to proxy wan and have different MTU/MSS for the wlan - maybe also use one of the tcp congestion controls that's less sensitive to random loss. It would be more elegant to use tc's hashing but I've not done that before. The filters are nested so only the IP matches see upto all the traffic. I just matched tcp length <128 / not tcp for interactive. If you want counters for filter hits tc -s filter ls dev eth0 for top level tc -s filter ls dev eth0 parent 1:1 for the children tc -s class ls dev eth0 for loads of htb data - beware the rates use a long average, it takes 100sec for them to be right for me. Andy !/bin/sh #set -x # Interfaces LAN=eth0 DOWNLINK=128 # IP range in each subnet LOW_IP=2 HIGH_IP=254 # Flush existing rules tc qdisc del dev $LAN root tc qdisc add dev $LAN root handle 1: htb # Set useful counter total=0 # Apply rules for all included subnets for i in `seq $LOW_IP $HIGH_IP` do total=$((total+1)) echo 172.19.123.$i tc class add dev $LAN parent 1: classid 1:$total htb rate ${DOWNLINK}kbit tc class add dev $LAN parent 1:$total classid 1:a$total htb rate 100kbit ceil ${DOWNLINK}kbit prio 0 tc class add dev $LAN parent 1:$total classid 1:b$total htb rate 28kbit ceil ${DOWNLINK}kbit prio 1 tc filter add dev $LAN parent 1: protocol ip prio 1 u32 match ip src 172.19.123.$i flowid 1:$total tc filter add dev $LAN parent 1:$total protocol ip prio 2 u32 match ip protocol 6 0xff match u16 0x0000 0xff80 at 2 flowid 1:a$total tc filter add dev $LAN parent 1:$total protocol ip prio 3 u32 match ip protocol 6 0xff flowid 1:b$total tc filter add dev $LAN parent 1:$total protocol ip prio 4 u32 match u32 0 0 flowid 1:a$total done From kaber at trash.net Fri Aug 31 11:43:29 2007 From: kaber at trash.net (Patrick McHardy) Date: Fri Aug 31 11:44:56 2007 Subject: [LARTC] Clock Source Kernel settings in 2.6.22 In-Reply-To: <45E4FD623F464B30A0067FF269007B89@shadow> References: <20070828074738.GF17475@DervishD> <20070828231936.22b9683a@localhost> <45E4FD623F464B30A0067FF269007B89@shadow> Message-ID: On Wed, 29 Aug 2007, Mario Antonio Garcia wrote: > I wonder if somebody has got good results (accurate shaping) using 2.6.22? > > I am testing with 2.6.22.1, and I haven't been able to get accurate shaping. > For instance, I tried: > $TC qdisc add dev eth0 root handle 1: htb default 1 > $TC class add dev eth0 parent 1: classid 1:1 htb > rate 100000kbit ceil 100000kbit burst 24k cburst 24k > $TC class add dev eth0 parent 1:1 classid 1:10 htb > rate 20000kbit ceil 20000kbit burst 24k cburst 24k > > and class 1:10 shapes the traffic to 19900kbit instead of 20000kbit > (bandwidth tests made with ftp and iperf) That seems pretty close. What values do you get with older kernels? From jonathan.gazeley at bristol.ac.uk Fri Aug 31 12:10:30 2007 From: jonathan.gazeley at bristol.ac.uk (Jonathan Gazeley) Date: Fri Aug 31 12:10:36 2007 Subject: [LARTC] tc not matching In-Reply-To: <46D7700C.4050105@andyfurniss.entadsl.com> References: <46D5843C.6020606@bristol.ac.uk> <46D7045D.6080407@andyfurniss.entadsl.com> <46D7700C.4050105@andyfurniss.entadsl.com> Message-ID: <46D7E916.9000604@bristol.ac.uk> Hi Andy, Thanks a bunch for your help - really good of you to put time into helping a newbie. Andy Furniss wrote: > I managed to have a play - CBQ doesn't seem too accurate it let > netperf get throughput of about 180kbit. HTB was OK so I used that. I was only using CBQ because that's what was being used in the tutorials and howtos I looked at - there doesn't seem to be a massive amount of documentation out there. My script was basically a copy & paste job... If you recommend HTB then I'll give it a try. > If you have a multicore/smp CPU you shouldn't use CPU as a > clocksource. I don't know how much memory this does/could use, if you > don't specify child qdiscs htb uses pfifos with a length taken from > txqueuelen (1000 on eth) so that adds up to quite a bit. With window > scaling on and a netperf running for each IP I managed to backlog >200 > packets on each. It runs on relatively sporty hardware and doesn't do anything other than NAT and shaping, so I don't think memory usage is really a problem. It has dual processors so I guess that means I shouldnt use CPU as a clocksource. > Rather than police you could, if using recentish 2.6 use ifb and have > the same setup on ingress eth0. Or if you don't do nat on the same box > on the wan. If you do do nat and don't have ifb then you need to use > netfilter to mark by ip and match the marks. This box is also a NAT box, so I'll do marking with iptables to sort the incoming traffic. I read about it somewhere on Google so I'm sure I can manage! If I'm marking packets with iptables, would it be better to shape them as they leave on the internal interface, rather than doing something with ingress on the external interface? What is ifb? For once, Google doesn't seem to turn up much. Cheers, Jonathan ------------------------ Jonathan Gazeley ResNet | Wireless & VPN Team Information Systems & Computing University of Bristol ------------------------ From linkrupak at gmail.com Fri Aug 31 17:58:58 2007 From: linkrupak at gmail.com (rupak shrestha) Date: Fri Aug 31 17:59:07 2007 Subject: [LARTC] newbiew required some help In-Reply-To: <002401c7d507$9add4bf0$d097e3d0$@is> References: <46ADCE10.6080906@bristol.ac.uk> <20070730141028.GF20842@nyx> <46AEEBCF.70700@oldum.net> <46AF02C9.8030309@bristol.ac.uk> <46AF0823.3050404@oldum.net> <46AF0A2E.3060207@bristol.ac.uk> <46AF1C07.9030206@oldum.net> <46AF412A.9000200@bristol.ac.uk> <46AF4826.40400@oldum.net> <002401c7d507$9add4bf0$d097e3d0$@is> Message-ID: May Be Bandwidthd Could be of help.Google for it.As i don't remember it's exact location on the net. On 8/2/07, Anil Thapa wrote: > > Hello all, > > Perhaps this is very easy but i have no idea how to do this. Anyway I have > two linux servers (Redhat ent5) with 1gps switch. How can i monitor the > bandwidth uses between them? Or are there any tool that i can use to > observe > this ? i understand if it were a managable switch then it might be > possible. > In this case this 1Gbps is unmanage switch. > > Any idea or suggestion woul be helpful. > > > \\AT > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070831/a06e9822/attachment.html From lartc at dervishd.net Fri Aug 31 18:26:24 2007 From: lartc at dervishd.net (DervishD) Date: Fri Aug 31 18:26:50 2007 Subject: [LARTC] About "b" meaning "byte" and bit Message-ID: <20070831162624.GA6133@DervishD> Hi all :) I think that this issue has already been discussed on this list, but google didn't find anything interesting, so I'm bringing the subject again. The output of "tc" uses "b" meaning "byte" and "bit" for "bit". The "official" suffixes for those units are "B" and "b", respectively, and on top of this, I'm not sure if "kbit" means "kilobit" or "kibibit" in "tc" output. I haven't had time to look at iproute2 sources, so I don't know if this should be dealt with in iproute2 or in the kernel itself. Most of the kernel has switched to SI units already, and IMHO most of the utils should do the same, to avoid the endless problem of SI vs. binary units. This said, maybe this weird syntas is used in tc so third party apps can parse the output. These apps certainly will break if a change in the syntax is made, but otherwise I see no reason to keep using "b" instead of "B" and "bit" instead of "b". Currently the only way of having a sane syntax (and not only regarding units...) is "tcng"? If such a modification is seen as appropriate, I volunteer to make the patch. Ra?l N??ez de Arenas Coronado -- Linux Registered User 88736 | http://www.dervishd.net It's my PC and I'll cry if I want to... RAmen! From talk2ram at gmail.com Fri Aug 31 19:00:50 2007 From: talk2ram at gmail.com (ram) Date: Fri Aug 31 19:00:55 2007 Subject: [LARTC] newbiew required some help In-Reply-To: <002401c7d507$9add4bf0$d097e3d0$@is> References: <46ADCE10.6080906@bristol.ac.uk> <20070730141028.GF20842@nyx> <46AEEBCF.70700@oldum.net> <46AF02C9.8030309@bristol.ac.uk> <46AF0823.3050404@oldum.net> <46AF0A2E.3060207@bristol.ac.uk> <46AF1C07.9030206@oldum.net> <46AF412A.9000200@bristol.ac.uk> <46AF4826.40400@oldum.net> <002401c7d507$9add4bf0$d097e3d0$@is> Message-ID: On 8/2/07, Anil Thapa wrote: > > Hello all, > > Perhaps this is very easy but i have no idea how to do this. Anyway I have > two linux servers (Redhat ent5) with 1gps switch. How can i monitor the > bandwidth uses between them? Or are there any tool that i can use to > observe > this ? i understand if it were a managable switch then it might be > possible. > In this case this 1Gbps is unmanage switch. > > Any idea or suggestion woul be helpful. Install SNMP and MRTG does the job ram -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070831/88c44697/attachment.htm From karme at berlios.de Fri Aug 31 20:38:34 2007 From: karme at berlios.de (Jens Thiele) Date: Fri Aug 31 20:38:47 2007 Subject: [LARTC] tc not matching In-Reply-To: <46D7E916.9000604@bristol.ac.uk> (Jonathan Gazeley's message of "Fri, 31 Aug 2007 11:10:30 +0100") References: <46D5843C.6020606@bristol.ac.uk> <46D7045D.6080407@andyfurniss.entadsl.com> <46D7700C.4050105@andyfurniss.entadsl.com> <46D7E916.9000604@bristol.ac.uk> Message-ID: <873axzr1lh.fsf@berlios.de> Hi Jonathan, On 31 Aug 2007, jonathan.gazeley@bristol.ac.uk wrote: > > Hi Andy, > > Thanks a bunch for your help - really good of you to put time into > helping a newbie. > > Andy Furniss wrote: >> Rather than police you could, if using recentish 2.6 use ifb and >> have the same setup on ingress eth0. Or if you don't do nat on the >> same box on the wan. If you do do nat and don't have ifb then you >> need to use netfilter to mark by ip and match the marks. > > This box is also a NAT box, so I'll do marking with iptables to sort > the incoming traffic. I read about it somewhere on Google so I'm sure > I can manage! If I'm marking packets with iptables, would it be better > to shape them as they leave on the internal interface, rather than > doing something with ingress on the external interface? As long as you do not want to shape traffic from/to the box itself, the easiest solution is to shape on egress (at least if you only have two interfaces). If you want to also shape traffic from/to the box itself and don't do NAT, you can use ifb. ifb is a pseudo device you can redirect incoming traffic to, using tc. then you can attach egress qdisc to that pseudo device. If you want to also shape traffic from/to the box itself and do NAT, you still have to use IMQ (http://www.linuximq.net/) - I think. The latest kernel I have good results with IMQ ist 2.6.18. Greetings Jens From dino at webjogger.net Fri Aug 31 20:46:01 2007 From: dino at webjogger.net (Mario Antonio Garcia) Date: Fri Aug 31 20:46:13 2007 Subject: [LARTC] Clock Source Kernel settings in 2.6.22 References: <20070828074738.GF17475@DervishD> <20070828231936.22b9683a@localhost> <45E4FD623F464B30A0067FF269007B89@shadow> Message-ID: I used to get an average of 18900kbit. My hope was that these new patches would bring better accuracy. Notice the 24 cburst. I am just trying to compensate the inaccuracy this way. If I remove the cburst, obviously the shape rate I get goes down. Perhaps I am missing something. I am just a novice trying to get exact bandwidth shaping. I have tested all the clock source types with no good results. Regards, Mario Antonio ----- Original Message ----- From: "Patrick McHardy" To: "Mario Antonio Garcia" Cc: Sent: Friday, August 31, 2007 5:43 AM Subject: Re: [LARTC] Clock Source Kernel settings in 2.6.22 > On Wed, 29 Aug 2007, Mario Antonio Garcia wrote: > >> I wonder if somebody has got good results (accurate shaping) using >> 2.6.22? >> >> I am testing with 2.6.22.1, and I haven't been able to get accurate >> shaping. >> For instance, I tried: >> $TC qdisc add dev eth0 root handle 1: htb default 1 >> $TC class add dev eth0 parent 1: classid 1:1 htb >> rate 100000kbit ceil 100000kbit burst 24k cburst 24k >> $TC class add dev eth0 parent 1:1 classid 1:10 htb >> rate 20000kbit ceil 20000kbit burst 24k cburst 24k >> >> and class 1:10 shapes the traffic to 19900kbit instead of 20000kbit >> (bandwidth tests made with ftp and iperf) > > > That seems pretty close. What values do you get with older kernels? > > > > From lists at andyfurniss.entadsl.com Fri Aug 31 21:53:23 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Aug 31 21:53:24 2007 Subject: [LARTC] tc not matching In-Reply-To: <46D7E916.9000604@bristol.ac.uk> References: <46D5843C.6020606@bristol.ac.uk> <46D7045D.6080407@andyfurniss.entadsl.com> <46D7700C.4050105@andyfurniss.entadsl.com> <46D7E916.9000604@bristol.ac.uk> Message-ID: <46D871B3.40901@andyfurniss.entadsl.com> Jonathan Gazeley wrote: > Hi Andy, > > Thanks a bunch for your help - really good of you to put time into > helping a newbie. > > Andy Furniss wrote: >> I managed to have a play - CBQ doesn't seem too accurate it let >> netperf get throughput of about 180kbit. HTB was OK so I used that. > I was only using CBQ because that's what was being used in the tutorials > and howtos I looked at - there doesn't seem to be a massive amount of > documentation out there. My script was basically a copy & paste job... > If you recommend HTB then I'll give it a try. OK - I just noticed I forgot to change ... match ip src 172.19.123.$i ... back to match dst so if you copy & paste mine you'll need to. >> If you have a multicore/smp CPU you shouldn't use CPU as a >> clocksource. I don't know how much memory this does/could use, if you >> don't specify child qdiscs htb uses pfifos with a length taken from >> txqueuelen (1000 on eth) so that adds up to quite a bit. With window >> scaling on and a netperf running for each IP I managed to backlog >200 >> packets on each. > It runs on relatively sporty hardware and doesn't do anything other than > NAT and shaping, so I don't think memory usage is really a problem. It > has dual processors so I guess that means I shouldnt use CPU as a > clocksource. Yes I guess so - I havent got anything other than uniprocessors so don't know what's best. Whatever you choose I would still use Hz 1000 as HTB is a bit more accurate that way. I also haven't tried no Hz yet so don't know what that's like. >> Rather than police you could, if using recentish 2.6 use ifb and have >> the same setup on ingress eth0. Or if you don't do nat on the same box >> on the wan. If you do do nat and don't have ifb then you need to use >> netfilter to mark by ip and match the marks. > This box is also a NAT box, so I'll do marking with iptables to sort the > incoming traffic. I read about it somewhere on Google so I'm sure I can > manage! If I'm marking packets with iptables, would it be better to > shape them as they leave on the internal interface, rather than doing > something with ingress on the external interface? > > What is ifb? For once, Google doesn't seem to turn up much. You have it already if modprobe ifb ip link set up dev ifb0 works for you, if not it's called intermediate functional block under netdevices in kernel config. If you had ifb then you could just use the same script with the different rates and tc src match. No need to use netfilter as you could direct the incoming traffic on eth0 to the ifb0 device with a tc filter and it would be shaped before any NAT happened. tc filter add dev eth0 ingress tc filter add dev eth0 parent ffff: protocol ip u32 match ip src 172.17.123.0/24 flowid 1:0 action mirred egress redirect dev ifb0 then just change the script so LAN=ifb0, the rates and ... match ip src ... But as you say you can also easily shape on wan and use netfilter marks. I assume your box only forwards traffic for 172.17.123.0/24 if there is traffic to and from the box its self then you need to decide whether it needs shaping aswell and make a filter to exempt it, or if it is to be shaped then you need to think about whether the nic, if it's gig eht does tcp segmentation offload. If it does you can turn it off with ethtool -k. Andy. > > Cheers, > Jonathan > > ------------------------ > Jonathan Gazeley > ResNet | Wireless & VPN Team > Information Systems & Computing > University of Bristol > ------------------------ > > From aidanjoh at gmail.com Sat Sep 1 17:11:00 2007 From: aidanjoh at gmail.com (Aidan Johnstone) Date: Sat Sep 1 17:11:18 2007 Subject: [LARTC] complete linux and shaping newbie needs help Message-ID: <15c3fe2b0709010811o6caedc52u546c07c9f8ca6115@mail.gmail.com> Hi there good people, I'm a newbie in what concerns running Linux on machines other than desktops, so I need help from all you gurus out there :-) I have Linux installed on an old computer (Winchip C6, Pentium clone), acting as a router/firewall for two other computers. Both these machines are connected to the firewall via a dedicated ethernet card each, on different subnets, 192.168.0.7 (eth1) and 192.168.10.3 (eth2). Internet connection (eth0) is a 3Mbit/320Kbit cable modem. The firewall box is configured with iptables, like this: # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # iptables -A FORWARD -i eth1 -j ACCEPT # iptables -A FORWARD -i eth2 -j ACCEPT At this point I have to stress out that I am a complete networking/shaping newbie. I've read the FAQ at lartc.org and my head is still hurting, as it basically felt I was reading greek. Really ;-) Right now I have wondershaper htb running to smooth things out, and everything is great. The problem is our internet connection is metered by the Gb, and our monthly cap is somewhat low. My roommate (computer connected to eth2, 192.168.10.x) tends to abuse this (a lot), so I was thinking of throttling his connection to around half of our 3Mbits, in order to lower our monthly bill. I have read some stuff I found online, but I must face the reality that I really don't know what I'm doing ;-) So, I thought I'd ask you guys, since you're obviously much more familiar with the subjct. Could anyone tell me, given the above scenario (masquerading, wondershaper), what 'tc' and 'iptables' commands should I enter on the firewall to limit his ip (192.168.10.3) to, say, 200kb/s (~1650Kbps, if I've done the math right), hard, without the possibility of "borrowing" extra bandwidth even if the connection is otherwise idle? Any help is really appreciated, otherwise I think I'll have to kick him out, and I really don't want to come to that! Thanks! Aidan From arman.anwar at gmail.com Sat Sep 1 23:01:35 2007 From: arman.anwar at gmail.com (Arman) Date: Sat Sep 1 23:01:41 2007 Subject: [LARTC] 2 ISP connection sharing problem Message-ID: <13c1e7670709011401r7b9961f8w8ee1122e0a7e5973@mail.gmail.com> Hi all, I have a similar question like many asked before I know but Please help as i cant figure out where the problem is and how should I tackle. I have 2 ISP connections. I want to share the bandwidth from both. I have copied the script from many places and created my own after changes. Problem is that only one connection is utilized at a time. Not both working. ratio of consuming bandwisth between then is around 1:30. both connections are from dhcp that is dynamic. configuration from 1 ISP remains same and from 1 changes. EXTERNAL_IP_2="201.81.219.95" EXTERNAL_NETWORK_2="201.81.219.0" EXTERNAL_GATEWAY_IP_2="201.81.219.1" echo 200 T1 >> /etc/iproute2/rt_tables echo 201 T2 >> /etc/iproute2/rt_tables ip route add 192.168.1.0 dev eth1 src 192.168.1.2 table T1 ip route add default via 192.168.1.1 table T1 ip route add $EXTERNAL_NETWORK_2 dev eth2 src $EXTERNAL_IP_2 table T2 ip route add default via $EXTERNAL_GATEWAY_IP_2 table T2 ip route add 192.168.3.0 dev eth0 table T1 ip route add 192.168.1.0 dev eth1 table T1 ip route add 127.0.0.0/8 dev lo table T1 ip route add 192.168.3.0 dev eth0 table T2 ip route add $EXTERNAL_NETWORK_2 dev eth2 table T2 ip route add 127.0.0.0/8 dev lo table T2 ip route add 192.168.1.0 dev eth1 src 192.168.1.2 ip route add $EXTERNAL_NETWORK_2 dev eth2 src $EXTERNAL_IP_2 ip route add default via $EXTERNAL_GATEWAY_IP_2 ip rule add from 192.168.1.2 table T1 ip rule add from $EXTERNAL_IP_2 table T2 ip route add default scope global nexthop via 192.168.1.1 dev eth1 weight 1 nexthop via $EXTERNAL_GATEWAY_IP_2 dev eth2 weight 2 route command output is Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.255 UH 0 0 0 eth1 192.168.3.0 * 255.255.255.0 U 0 0 0 eth0 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 201.81.219.0 * 255.255.255.0 U 0 0 0 eth2 default 201.81.219.1 0.0.0.0 UG 0 0 0 eth2 Problem is that the interface which is set gateway is used only. The other one remains idle. -- Regards, Arman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070902/c03a5a0b/attachment.html From netsecuredata at gmail.com Sun Sep 2 01:33:35 2007 From: netsecuredata at gmail.com (Jorge Evangelista) Date: Sun Sep 2 01:33:52 2007 Subject: [LARTC] 2 ISP connection sharing problem In-Reply-To: <13c1e7670709011401r7b9961f8w8ee1122e0a7e5973@mail.gmail.com> References: <13c1e7670709011401r7b9961f8w8ee1122e0a7e5973@mail.gmail.com> Message-ID: Hi, You should change your last rule for some as it: ip route add equalize default nexthop via 192.168.1.1 dev eth0 nexthop via 201.81.219.1 dev eth2 It works fine for load balancing, but when a failure occurrs on one line, whats happen? if one line is down the change it is too slow, and the cache for the route is still there and when I want this Host again the old route is through from the "down" line. I have a script which runs via ping and cron when next hop is down, the box linux will change to use one line. On 9/1/07, Arman wrote: > Hi all, > > I have a similar question like many asked before I know but Please > help as i cant figure out where the problem is and how should I tackle. > > I have 2 ISP connections. I want to share the bandwidth from both. I have > copied the script from many places and created my own after changes. Problem > is that only one connection is utilized at a time. Not both working. ratio > of consuming bandwisth between then is around 1:30. > > both connections are from dhcp that is dynamic. configuration from 1 ISP > remains same and from 1 changes. > > EXTERNAL_IP_2="201.81.219.95" > EXTERNAL_NETWORK_2=" 201.81.219.0" > EXTERNAL_GATEWAY_IP_2="201.81.219.1" > > echo 200 T1 >> /etc/iproute2/rt_tables > echo 201 T2 >> /etc/iproute2/rt_tables > > ip route add 192.168.1.0 dev eth1 src 192.168.1.2 table T1 > ip route add default via 192.168.1.1 table T1 > ip route add $EXTERNAL_NETWORK_2 dev eth2 src $EXTERNAL_IP_2 table T2 > ip route add default via $EXTERNAL_GATEWAY_IP_2 table T2 > > ip route add 192.168.3.0 dev eth0 table T1 > ip route add 192.168.1.0 dev eth1 table T1 > ip route add 127.0.0.0/8 dev lo table T1 > ip route add 192.168.3.0 dev eth0 table T2 > ip route add $EXTERNAL_NETWORK_2 dev eth2 table T2 > ip route add 127.0.0.0/8 dev lo table T2 > > ip route add 192.168.1.0 dev eth1 src 192.168.1.2 > ip route add $EXTERNAL_NETWORK_2 dev eth2 src $EXTERNAL_IP_2 > > ip route add default via $EXTERNAL_GATEWAY_IP_2 > > ip rule add from 192.168.1.2 table T1 > ip rule add from $EXTERNAL_IP_2 table T2 > > ip route add default scope global nexthop via 192.168.1.1 dev eth1 weight 1 > nexthop via $EXTERNAL_GATEWAY_IP_2 dev eth2 weight 2 > > > route command output is > > Destination Gateway Genmask Flags Metric Ref > Use Iface > 192.168.1.0 * 255.255.255.255 UH 0 0 > 0 eth1 > 192.168.3.0 * 255.255.255.0 U 0 > 0 0 eth0 > 192.168.1.0 * 255.255.255.0 U 0 > 0 0 eth1 > 201.81.219.0 * 255.255.255.0 U 0 > 0 0 eth2 > default 201.81.219.1 0.0.0.0 UG 0 > 0 0 eth2 > > Problem is that the interface which is set gateway is used only. The other > one remains idle. > > -- > Regards, > Arman > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > -- "The network is the computer" From arman.anwar at gmail.com Sun Sep 2 12:25:11 2007 From: arman.anwar at gmail.com (Arman) Date: Sun Sep 2 12:25:32 2007 Subject: [LARTC] 2 ISP connection sharing problem Message-ID: <13c1e7670709020325n40f3704fhbc28ea3c2d1ea038@mail.gmail.com> Thats fine but primary problem is that only one connection is used at a time but I want to utilize both at the same time. Please guide ---------- Forwarded message ---------- From: "Jorge Evangelista" To: lartc@mailman.ds9a.nl Date: Sat, 1 Sep 2007 18:33:35 -0500 Subject: Re: [LARTC] 2 ISP connection sharing problem Hi, You should change your last rule for some as it: ip route add equalize default nexthop via 192.168.1.1 dev eth0 nexthop via 201.81.219.1 dev eth2 It works fine for load balancing, but when a failure occurrs on one line, whats happen? if one line is down the change it is too slow, and the cache for the route is still there and when I want this Host again the old route is through from the "down" line. I have a script which runs via ping and cron when next hop is down, the box linux will change to use one line. On 9/1/07, Arman wrote: > Hi all, > > I have a similar question like many asked before I know but Please > help as i cant figure out where the problem is and how should I tackle. > > I have 2 ISP connections. I want to share the bandwidth from both. I have > copied the script from many places and created my own after changes. Problem > is that only one connection is utilized at a time. Not both working. ratio > of consuming bandwisth between then is around 1:30. > > both connections are from dhcp that is dynamic. configuration from 1 ISP > remains same and from 1 changes. > > EXTERNAL_IP_2="201.81.219.95" > EXTERNAL_NETWORK_2=" 201.81.219.0" > EXTERNAL_GATEWAY_IP_2="201.81.219.1" > > echo 200 T1 >> /etc/iproute2/rt_tables > echo 201 T2 >> /etc/iproute2/rt_tables > > ip route add 192.168.1.0 dev eth1 src 192.168.1.2 table T1 > ip route add default via 192.168.1.1 table T1 > ip route add $EXTERNAL_NETWORK_2 dev eth2 src $EXTERNAL_IP_2 table T2 > ip route add default via $EXTERNAL_GATEWAY_IP_2 table T2 > > ip route add 192.168.3.0 dev eth0 table T1 > ip route add 192.168.1.0 dev eth1 table T1 > ip route add 127.0.0.0/8 dev lo table T1 > ip route add 192.168.3.0 dev eth0 table T2 > ip route add $EXTERNAL_NETWORK_2 dev eth2 table T2 > ip route add 127.0.0.0/8 dev lo table T2 > > ip route add 192.168.1.0 dev eth1 src 192.168.1.2 > ip route add $EXTERNAL_NETWORK_2 dev eth2 src $EXTERNAL_IP_2 > > ip route add default via $EXTERNAL_GATEWAY_IP_2 > > ip rule add from 192.168.1.2 table T1 > ip rule add from $EXTERNAL_IP_2 table T2 > > ip route add default scope global nexthop via 192.168.1.1 dev eth1 weight 1 > nexthop via $EXTERNAL_GATEWAY_IP_2 dev eth2 weight 2 > > > route command output is > > Destination Gateway Genmask Flags Metric Ref > Use Iface > 192.168.1.0 * 255.255.255.255 UH 0 0 > 0 eth1 > 192.168.3.0 * 255.255.255.0 U 0 > 0 0 eth0 > 192.168.1.0 * 255.255.255.0 U 0 > 0 0 eth1 > 201.81.219.0 * 255.255.255.0 U 0 > 0 0 eth2 > default 201.81.219.1 0.0.0.0 UG 0 > 0 0 eth2 > > Problem is that the interface which is set gateway is used only. The other > one remains idle. > > -- > Regards, > Arman > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070902/2809f2a7/attachment.htm From marek at piasta.pl Sun Sep 2 13:33:11 2007 From: marek at piasta.pl (Marek Kierdelewicz) Date: Sun Sep 2 13:33:37 2007 Subject: [LARTC] 2 ISP connection sharing problem In-Reply-To: <13c1e7670709020325n40f3704fhbc28ea3c2d1ea038@mail.gmail.com> References: <13c1e7670709020325n40f3704fhbc28ea3c2d1ea038@mail.gmail.com> Message-ID: <20070902133311.2ec2abf6@catlap> Hi, >Thats fine but primary problem is that only one connection is used at a >time but I want to utilize both at the same time. Please guide You have iptables based options to solve this problem: 1) You can use u32 module to mark and then route packets based on the destination address example use of u32: $IPT -t mangle -A FORWARD -m u32 --u32 "16&0x0001=0x0000" -j MARK --set-mark 0x10 (packets to addresses with last bit UNSET will be marked with 0x10 value) $IPT -t mangle -A FORWARD -m u32 --u32 "16&0x0001=0x0001" -j MARK --set-mark 0x11 (packets to addresses with last bit SET will be marked with 0x10 value) Then you add routing policy rules: ip ru add fwmark 0x10 table T1 prio 100 ip ru add fwmark 0x11 table T2 prio 100 2) You can use statistics and connmark module to balance connections between two links Sorry, no fish here, only fishing rod. I don't have a working config similar to what you need and making something up would be to time consuming. connmark module: http://home.regit.org/?page_id=7 statistic module: it's poorly documented, but you can use it like that... "-m statistic --mode random --probability PERCENT" Basic idea is to mark some percent of NEW connection with mark 0x10 and rest with 0x11. Then you add policy routes like in example above. Good luck. Cheers, Marek Kierdelewicz KoBa ISP From jaorani at gmail.com Sun Sep 2 13:37:03 2007 From: jaorani at gmail.com (Javier Ors) Date: Sun Sep 2 13:37:10 2007 Subject: [LARTC] complete linux and shaping newbie needs help In-Reply-To: <15c3fe2b0709010811o6caedc52u546c07c9f8ca6115@mail.gmail.com> References: <15c3fe2b0709010811o6caedc52u546c07c9f8ca6115@mail.gmail.com> Message-ID: Do they charge you for download traffic or both for dowload/upload? If you are in the first case, this slight modification in the wondershaper script should do the trick. ########## downlink ############# # slow downloads down to somewhat less than the real speed to prevent # queuing at our ISP. Tune to see how high you can set it. # ISPs tend to have *huge* queues to make sure big downloads are fast # # attach ingress policer: tc qdisc add dev $DEV handle ffff: ingress HERE BEGINS THE CHANGE # filter for your roomate, drop everything that's # coming faster than half the DOWNLINK value: tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \ 192.168.10.3/24 police rate $[$DOWNLINK/2]kbit burst 10k drop flowid :1 HERE ENDS THE CHANGE # filter *everything* to it (0.0.0.0/0), drop everything that's # coming in too fast: tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \ 0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070902/64b629f3/attachment.html From marek at piasta.pl Sun Sep 2 13:43:02 2007 From: marek at piasta.pl (Marek Kierdelewicz) Date: Sun Sep 2 13:43:26 2007 Subject: [LARTC] Classful queuing solution In-Reply-To: <46CD7147.1090900@bristol.ac.uk> References: <46CD7147.1090900@bristol.ac.uk> Message-ID: <20070902134302.2b979884@catlap> Hi, >Related, not but strictly to do with tc, is there any way of concisely >and effectively logging connections between NATd users and external >IPs? I need to be able to maintain a log which tells me that a certain >user was connected to a certain remote host on a certain port at a >certain time and date, for legal reasons. You can log traffic with following iptables rule: iptables -t nat -A PREROUTING -p tcp -j LOG --log-level info --log-prefix connlog This will only log new connections, not every packet. Information will be passed to syslog. From kaber at trash.net Sun Sep 2 13:45:42 2007 From: kaber at trash.net (Patrick McHardy) Date: Sun Sep 2 13:47:22 2007 Subject: [LARTC] Clock Source Kernel settings in 2.6.22 In-Reply-To: References: <20070828074738.GF17475@DervishD> <20070828231936.22b9683a@localhost> <45E4FD623F464B30A0067FF269007B89@shadow> Message-ID: <46DAA266.8070601@trash.net> [Please keep me in CC/To, I don't read lartc often] Mario Antonio Garcia wrote: > I used to get an average of 18900kbit. > My hope was that these new patches would bring better accuracy. Well, you're up from 94.5% to 99.95%, so they seem to do :) > Notice the 24 cburst. I am just trying to compensate the inaccuracy > this way. If I remove the cburst, obviously the shape rate I get goes > down. > > Perhaps I am missing something. I am just a novice trying to get > exact bandwidth shaping. I have tested all the clock source types with > no good results. A couple of comments: - The patches so far only improve things on x86 - Try to test using UDP (not sure if you did) or simply a ping flood, TCP is not ideal. - iproute calculates burst values automatically. With the higher precision clock source you can use a smaller value (also done automatically if you don't specify them). - HFSC is more precise than HTB (and not the least more complicated to configure if you use only linear service curves) From jaorani at gmail.com Sun Sep 2 13:50:14 2007 From: jaorani at gmail.com (Javier Ors) Date: Sun Sep 2 13:50:21 2007 Subject: [LARTC] complete linux and shaping newbie needs help In-Reply-To: References: <15c3fe2b0709010811o6caedc52u546c07c9f8ca6115@mail.gmail.com> Message-ID: Ups, sorry, I did one mistake, I forgot we are filtering incoming traffic and the we need to match destination ip. Also there is no need to filter the hole subnet, so we can set the mask to 32. So this would be the result: ########## downlink ############# # slow downloads down to somewhat less than the real speed to prevent # queuing at our ISP. Tune to see how high you can set it. # ISPs tend to have *huge* queues to make sure big downloads are fast # # attach ingress policer: tc qdisc add dev $DEV handle ffff: ingress HERE BEGINS THE CHANGE # filter for your roomate, drop everything that's # coming faster than half the DOWNLINK value: tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip dst \ 192.168.10.3/32 police rate $[$DOWNLINK/2]kbit burst 10k drop flowid :1 HERE ENDS THE CHANGE # filter *everything* to it (0.0.0.0/0), drop everything that's # coming in too fast: tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \ 0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070902/1e21f890/attachment-0001.htm From jaorani at gmail.com Sun Sep 2 14:03:04 2007 From: jaorani at gmail.com (Javier Ors) Date: Sun Sep 2 14:03:12 2007 Subject: [LARTC] complete linux and shaping newbie needs help In-Reply-To: References: <15c3fe2b0709010811o6caedc52u546c07c9f8ca6115@mail.gmail.com> Message-ID: I just have noticed another thing, I just copied the filter but should be given a different (lower) prio value. I'm not sure whether this is really necessary, but I think that it is better to do so: ########## downlink ############# # slow downloads down to somewhat less than the real speed to prevent # queuing at our ISP. Tune to see how high you can set it. # ISPs tend to have *huge* queues to make sure big downloads are fast # # attach ingress policer: tc qdisc add dev $DEV handle ffff: ingress HERE BEGINS THE CHANGE # filter for your roomate, drop everything that's # coming faster than half the DOWNLINK value: tc filter add dev $DEV parent ffff: protocol ip prio 49 u32 match ip dst \ 192.168.10.3/32 police rate $[$DOWNLINK/2]kbit burst 10k drop flowid :1 HERE ENDS THE CHANGE # filter *everything* to it (0.0.0.0/0), drop everything that's # coming in too fast: tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \ 0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070902/7bb8b890/attachment.html From jaorani at gmail.com Sun Sep 2 14:10:32 2007 From: jaorani at gmail.com (Javier Ors) Date: Sun Sep 2 14:10:38 2007 Subject: [LARTC] complete linux and shaping newbie needs help In-Reply-To: References: <15c3fe2b0709010811o6caedc52u546c07c9f8ca6115@mail.gmail.com> Message-ID: Sorry again and again, I've just noticed that gmail adds some odd stuff to the text version of my mails, so this is the definitive (I hope): ########## downlink ############# # slow downloads down to somewhat less than the real speed to prevent # queuing at our ISP. Tune to see how high you can set it. # ISPs tend to have *huge* queues to make sure big downloads are fast # # attach ingress policer: tc qdisc add dev $DEV handle ffff: ingress HERE BEGINS THE CHANGE # filter for your roomate, drop everything that's # coming faster than half the DOWNLINK value: tc filter add dev $DEV parent ffff: protocol ip prio 49 u32 match ip dst \ 192.168.10.3/32 police rate $[$DOWNLINK/2]kbit burst 10k drop flowid :1 HERE ENDS THE CHANGE # filter *everything* to it ( 0.0.0.0/0), drop everything that's # coming in too fast: tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \ 0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1 From aidanjoh at gmail.com Sun Sep 2 15:44:53 2007 From: aidanjoh at gmail.com (Aidan Johnstone) Date: Sun Sep 2 15:44:58 2007 Subject: [LARTC] complete linux and shaping newbie needs help In-Reply-To: References: <15c3fe2b0709010811o6caedc52u546c07c9f8ca6115@mail.gmail.com> Message-ID: <15c3fe2b0709020644j4aa94306h255e3962bc3d58c8@mail.gmail.com> On 9/2/07, Javier Ors wrote: > Sorry again and again, I've just noticed that gmail adds some odd > stuff to the text version of my mails, so this is the definitive (I > hope): Hola Javier, Thanks for your reply. Replying to your first question, yes, both upload and download traffic are accounted towards our monthly cap. Lame ISP, I know, but unfortuntaly I can't do anything about it, as it's the only game in town. [snip snip] > > HERE BEGINS THE CHANGE > # filter for your roomate, drop everything that's > # coming faster than half the DOWNLINK value: > > tc filter add dev $DEV parent ffff: protocol ip prio 49 u32 match ip dst \ > 192.168.10.3/32 police rate $[$DOWNLINK/2]kbit burst 10k drop flowid :1 > HERE ENDS THE CHANGE > I tried this, but it doesn't seem to be making any change at all, unfortunately. I started a large download from ftp.kernel.org and it was still coming full steam ahead. I let it go on for a minute or two, hoping it would eventually start to be throttled, but no dice. Is there perhaps any iptables command that goes with it, or something? Thanks for taking the time to look into this, much appreciated! Regards, Aidan From arman.anwar at gmail.com Sun Sep 2 16:24:23 2007 From: arman.anwar at gmail.com (Arman) Date: Sun Sep 2 16:24:40 2007 Subject: [LARTC] 2 ISP connection sharing problem Message-ID: <13c1e7670709020724n58fb686aw42679ba1cf18c199@mail.gmail.com> I get following error while run the command iptables -t mangle -A FORWARD -m u32 --u32 "16&0x0001=0x0000" -j MARK --set-mark 0x10 error> iptables v1.2.11: Couldn't load match `u32':/lib/iptables/libipt_u32.so: cannot open shared object file: No such file or directory I m using FC3 Linux Kernel 2.6.9-1.667 Any further pointer? ---------- Forwarded message ---------- From: Marek Kierdelewicz To: lartc@mailman.ds9a.nl Date: Sun, 2 Sep 2007 13:33:11 +0200 Subject: Re: Re: [LARTC] 2 ISP connection sharing problem Hi, >Thats fine but primary problem is that only one connection is used at a >time but I want to utilize both at the same time. Please guide You have iptables based options to solve this problem: 1) You can use u32 module to mark and then route packets based on the destination address example use of u32: $IPT -t mangle -A FORWARD -m u32 --u32 "16&0x0001=0x0000" -j MARK --set-mark 0x10 (packets to addresses with last bit UNSET will be marked with 0x10 value) $IPT -t mangle -A FORWARD -m u32 --u32 "16&0x0001=0x0001" -j MARK --set-mark 0x11 (packets to addresses with last bit SET will be marked with 0x10 value) Then you add routing policy rules: ip ru add fwmark 0x10 table T1 prio 100 ip ru add fwmark 0x11 table T2 prio 100 2) You can use statistics and connmark module to balance connections between two links Sorry, no fish here, only fishing rod. I don't have a working config similar to what you need and making something up would be to time consuming. connmark module: http://home.regit.org/?page_id=7 statistic module: it's poorly documented, but you can use it like that... "-m statistic --mode random --probability PERCENT" Basic idea is to mark some percent of NEW connection with mark 0x10 and rest with 0x11. Then you add policy routes like in example above. Good luck. Cheers, Marek Kierdelewicz KoBa ISP -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070902/2e25129b/attachment.htm From jaorani at gmail.com Sun Sep 2 16:44:52 2007 From: jaorani at gmail.com (Javier Ors) Date: Sun Sep 2 16:44:57 2007 Subject: [LARTC] complete linux and shaping newbie needs help In-Reply-To: <15c3fe2b0709020644j4aa94306h255e3962bc3d58c8@mail.gmail.com> References: <15c3fe2b0709010811o6caedc52u546c07c9f8ca6115@mail.gmail.com> <15c3fe2b0709020644j4aa94306h255e3962bc3d58c8@mail.gmail.com> Message-ID: > I tried this, but it doesn't seem to be making any change at all, > unfortunately. I started a large download from ftp.kernel.org and it > was still coming full steam ahead. I let it go on for a minute or two, > hoping it would eventually start to be throttled, but no dice. Is > there perhaps any iptables command that goes with it, or something? I don't know. You can also limit with iptables, but should be ok with this tc filter. Did the script run without errors after making the changes? Can you check that the filter is really present with tc filter show dev (your-device) and paste the result... Now that I think, what device have you got configured in the script? It should be eth0 (the cable modem). From aidanjoh at gmail.com Sun Sep 2 18:32:41 2007 From: aidanjoh at gmail.com (Aidan Johnstone) Date: Sun Sep 2 18:33:00 2007 Subject: [LARTC] complete linux and shaping newbie needs help In-Reply-To: References: <15c3fe2b0709010811o6caedc52u546c07c9f8ca6115@mail.gmail.com> <15c3fe2b0709020644j4aa94306h255e3962bc3d58c8@mail.gmail.com> Message-ID: <15c3fe2b0709020932i64830014ve5e6cff2f3133d09@mail.gmail.com> On 9/2/07, Javier Ors wrote: > > I don't know. You can also limit with iptables, but should be ok with > this tc filter. Did the script run without errors after making the > changes? Can you check that the filter is really present with tc > filter show dev (your-device) and paste the result... Now that I > think, what device have you got configured in the script? It should be > eth0 (the cable modem). Hi again Javier. Yes, the script runs fine, no errors, see: root@fw:/sbin# ./wshaper.htb + DOWNLINK=3000 + UPLINK=273 + DEV=eth0 + NOPRIOHOSTSRC= + NOPRIOHOSTDST= + NOPRIOPORTSRC= + NOPRIOPORTDST= + '[' start = status ']' + tc qdisc del dev eth0 root + tc qdisc del dev eth0 ingress + '[' start = stop ']' + tc qdisc add dev eth0 root handle 1: htb default 20 + tc class add dev eth0 parent 1: classid 1:1 htb rate 273kbit burst 6k + tc class add dev eth0 parent 1:1 classid 1:10 htb rate 273kbit burst 6k prio 1 + tc class add dev eth0 parent 1:1 classid 1:20 htb rate 245kbit burst 6k prio 2 + tc class add dev eth0 parent 1:1 classid 1:30 htb rate 218kbit burst 6k prio 2 + tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10 + tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10 + tc qdisc add dev eth0 parent 1:30 handle 30: sfq perturb 10 + tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 match ip tos 0x10 0xff flowid 1:10 + tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 match ip protocol 1 0xff flowid 1:10 + tc filter add dev eth0 parent 1: protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid 1:10 + tc filter add dev eth0 parent 1: protocol ip prio 18 u32 match ip dst 0.0.0.0/0 flowid 1:20 + tc qdisc add dev eth0 handle ffff: ingress + tc filter add dev eth0 parent ffff: protocol ip prio 49 u32 match ip dst 192.168.0.7/32 police rate 1500kbit burst 10k drop flowid :1 + tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 3000kbit burst 10k drop flowid :1 I changed the ip to match my machine (192.168.0.7), in order to do some tests, to make sure everything was working. That shouldn't be a problem, shoud it? And this is the output of tc filter show dev eth0: root@fw:/sbin# tc filter show dev eth0 filter parent 1: protocol ip pref 10 u32 filter parent 1: protocol ip pref 10 u32 fh 800: ht divisor 1 filter parent 1: protocol ip pref 10 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:10 match 00100000/00ff0000 at 0 filter parent 1: protocol ip pref 10 u32 fh 800::801 order 2049 key ht 800 bkt 0 flowid 1:10 match 00010000/00ff0000 at 8 filter parent 1: protocol ip pref 10 u32 fh 800::802 order 2050 key ht 800 bkt 0 flowid 1:10 match 00060000/00ff0000 at 8 match 05000000/0f00ffc0 at 0 match 00100000/00ff0000 at 32 filter parent 1: protocol ip pref 18 u32 filter parent 1: protocol ip pref 18 u32 fh 801: ht divisor 1 filter parent 1: protocol ip pref 18 u32 fh 801::800 order 2048 key ht 801 bkt 0 flowid 1:20 match 00000000/00000000 at 16 Is everything the way it is supposed to be? Thanks again for your time. Regards, Aidan From jaorani at gmail.com Sun Sep 2 21:16:29 2007 From: jaorani at gmail.com (Javier Ors) Date: Sun Sep 2 21:16:37 2007 Subject: [LARTC] complete linux and shaping newbie needs help In-Reply-To: <15c3fe2b0709020932i64830014ve5e6cff2f3133d09@mail.gmail.com> References: <15c3fe2b0709010811o6caedc52u546c07c9f8ca6115@mail.gmail.com> <15c3fe2b0709020644j4aa94306h255e3962bc3d58c8@mail.gmail.com> <15c3fe2b0709020932i64830014ve5e6cff2f3133d09@mail.gmail.com> Message-ID: Mmmmmm, could you please post the output of this other command? tc -s filter show dev eth0 parent ffff: I've searched a little bit and I think that this solution is not going to work, sorry, I would do the tests on my own machine but for the moment this is not possible... If it is what I'm afraid, you are going to have to use another scheme, but don't worry, it's easy to find an alternative solution anyway. From aidanjoh at gmail.com Sun Sep 2 21:45:32 2007 From: aidanjoh at gmail.com (Aidan Johnstone) Date: Sun Sep 2 21:45:37 2007 Subject: [LARTC] complete linux and shaping newbie needs help In-Reply-To: References: <15c3fe2b0709010811o6caedc52u546c07c9f8ca6115@mail.gmail.com> <15c3fe2b0709020644j4aa94306h255e3962bc3d58c8@mail.gmail.com> <15c3fe2b0709020932i64830014ve5e6cff2f3133d09@mail.gmail.com> Message-ID: <15c3fe2b0709021245p22958bdctce7a806248b0f7dc@mail.gmail.com> On 9/2/07, Javier Ors wrote: Hello again Javier > Mmmmmm, could you please post the output of this other command? > tc -s filter show dev eth0 parent ffff: Sure! root@fw:/root# tc -s filter show dev eth0 parent ffff: filter protocol ip pref 49 u32 filter protocol ip pref 49 u32 fh 800: ht divisor 1 filter protocol ip pref 49 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid :1 police 1d action drop rate 1420Kbit burst 10Kb mtu 2Kb match c0a80007/ffffffff at 16 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) filter protocol ip pref 50 u32 filter protocol ip pref 50 u32 fh 801: ht divisor 1 filter protocol ip pref 50 u32 fh 801::800 order 2048 key ht 801 bkt 0 flowid :1 police 1e action drop rate 2840Kbit burst 10Kb mtu 2Kb match 00000000/00000000 at 12 Sent 91611539 bytes 113192 pkts (dropped 0, overlimits 24) > I've searched a little bit and I think that this solution is not going > to work, sorry, I would do the tests on my own machine but for the > moment this is not possible... That's ok, I appreciate all the trouble you're going to already! I couldn't possibly ask you more :-) > If it is what I'm afraid, you are going to have to use another scheme, > but don't worry, it's easy to find an alternative solution anyway. Ok. I've been doing some reading, and the little I could understand, I think the solution would be to mark all packets to/from that particular machine with iptables MARK or somesuch, and then have a class in tc set to whatever bandwidth I want to allocate, and some other tc command to bound those marked packets to that class. This is all theory, of couse, I haven't the slightest idea how to accomplish this, or even if this isn't complete hogwash :-) Regards, Aidan From alex at samad.com.au Sun Sep 2 22:04:40 2007 From: alex at samad.com.au (Alex Samad) Date: Sun Sep 2 22:04:54 2007 Subject: [LARTC] 2 ISP connection sharing problem In-Reply-To: <13c1e7670709020325n40f3704fhbc28ea3c2d1ea038@mail.gmail.com> References: <13c1e7670709020325n40f3704fhbc28ea3c2d1ea038@mail.gmail.com> Message-ID: <20070902200439.GB28799@samad.com.au> On Sun, Sep 02, 2007 at 03:25:11PM +0500, Arman wrote: > Thats fine but primary problem is that only one connection is used at a time > but I want to utilize both at the same time. Please guide > > > ---------- Forwarded message ---------- > From: "Jorge Evangelista" > To: lartc@mailman.ds9a.nl > Date: Sat, 1 Sep 2007 18:33:35 -0500 > Subject: Re: [LARTC] 2 ISP connection sharing problem > Hi, > > You should change your last rule for some as it: > > ip route add equalize default nexthop via 192.168.1.1 dev eth0 > nexthop via 201.81.219.1 dev eth2 > > It works fine for load balancing, but when a failure occurrs on one > line, whats happen? if one line is down the change it is too slow, and > the cache for the route is still there and when I want this Host again > the old route is through from the "down" line. > > I have a script which runs via ping and cron when next hop is down, > the box linux will change to use one line. i have something similiar, but my problem is conntrack/natting. once a stream is up and running, conntrack remembers with external ip and tries to route out that one untill the connection is closed - which it will not be until it gets an rst/finish. This can take a while to settle down - wait for all the timers to run out... > > > > > > > On 9/1/07, Arman wrote: > > Hi all, > > > > I have a similar question like many asked before I know but > Please > > help as i cant figure out where the problem is and how should I tackle. > > > > I have 2 ISP connections. I want to share the bandwidth from both. I have > > copied the script from many places and created my own after changes. > Problem > > is that only one connection is utilized at a time. Not both working. ratio > > of consuming bandwisth between then is around 1:30. > > > > both connections are from dhcp that is dynamic. configuration from 1 ISP > > remains same and from 1 changes. > > > > EXTERNAL_IP_2="201.81.219.95" > > EXTERNAL_NETWORK_2=" 201.81.219.0" > > EXTERNAL_GATEWAY_IP_2="201.81.219.1" > > > > echo 200 T1 >> /etc/iproute2/rt_tables > > echo 201 T2 >> /etc/iproute2/rt_tables > > > > ip route add 192.168.1.0 dev eth1 src 192.168.1.2 table T1 > > ip route add default via 192.168.1.1 table T1 > > ip route add $EXTERNAL_NETWORK_2 dev eth2 src $EXTERNAL_IP_2 table T2 > > ip route add default via $EXTERNAL_GATEWAY_IP_2 table T2 > > > > ip route add 192.168.3.0 dev eth0 table T1 > > ip route add 192.168.1.0 dev eth1 table T1 > > ip route add 127.0.0.0/8 dev lo table T1 > > ip route add 192.168.3.0 dev eth0 table T2 > > ip route add $EXTERNAL_NETWORK_2 dev eth2 table T2 > > ip route add 127.0.0.0/8 dev lo table T2 > > > > ip route add 192.168.1.0 dev eth1 src 192.168.1.2 > > ip route add $EXTERNAL_NETWORK_2 dev eth2 src $EXTERNAL_IP_2 > > > > ip route add default via $EXTERNAL_GATEWAY_IP_2 > > > > ip rule add from 192.168.1.2 table T1 > > ip rule add from $EXTERNAL_IP_2 table T2 > > > > ip route add default scope global nexthop via 192.168.1.1 dev eth1 weight > 1 > > nexthop via $EXTERNAL_GATEWAY_IP_2 dev eth2 weight 2 > > > > > > route command output is > > > > Destination Gateway Genmask Flags Metric Ref > > Use Iface > > 192.168.1.0 * 255.255.255.255 UH 0 > 0 > > 0 eth1 > > 192.168.3.0 * 255.255.255.0 U 0 > > 0 0 eth0 > > 192.168.1.0 * 255.255.255.0 U 0 > > 0 0 eth1 > > 201.81.219.0 * 255.255.255.0 U 0 > > 0 0 eth2 > > default 201.81.219.1 0.0.0.0 UG 0 > > 0 0 eth2 > > > > Problem is that the interface which is set gateway is used only. The other > > one remains idle. > > > > -- > > Regards, > > Arman > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070903/757a1751/attachment.pgp From indunil75 at gmail.com Mon Sep 3 06:21:05 2007 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Mon Sep 3 06:21:11 2007 Subject: [LARTC] About "b" meaning "byte" and bit In-Reply-To: <20070831162624.GA6133@DervishD> References: <20070831162624.GA6133@DervishD> Message-ID: <7ed6b0aa0709022121y660a8e35j998e3f2246817263@mail.gmail.com> On 8/31/07, DervishD wrote: > Hi all :) > > I think that this issue has already been discussed on this list, but > google didn't find anything interesting, so I'm bringing the subject > again. > > The output of "tc" uses "b" meaning "byte" and "bit" for "bit". The > "official" suffixes for those units are "B" and "b", respectively, and > on top of this, I'm not sure if "kbit" means "kilobit" or "kibibit" in > "tc" output. > SEE below that was taken form this URL http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm Please read: tc tool (not only HTB) uses shortcuts to denote units of rate. kbps means kilobytes and kbit means kilobits ! This is the most FAQ about tc in linux. -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070903/df5afea1/attachment.htm From arman.anwar at gmail.com Mon Sep 3 10:35:57 2007 From: arman.anwar at gmail.com (Arman) Date: Mon Sep 3 10:36:21 2007 Subject: [LARTC] 2 ISP connection sharing problem Message-ID: <13c1e7670709030135y50b72f82tf836e840c200a98c@mail.gmail.com> HI, Is not there any work around to tackle this. As i dont want to do such things on a live server. Like is not there any specific patch or libs to update instead of compiling Kernel. Hi, >error> iptables v1.2.11: Couldn't load match >`u32':/lib/iptables/libipt_u32.so: cannot open shared object file: No >such file or directory > >I m using FC3 Linux Kernel 2.6.9-1.667 U32 module is not available in vanilla kernels and your kernel probably lacks it too. You should ask for help on Fedora groups. Maybe there are network-oriented prebuild kernels available. Remember that you'll also need iptables support for u32 module. Alternative is to: - download vanilla kernel source - download iptables source - download patch-o-matic-ng - patch kernel&iptables source with u32 patch from patch-o-matic-ng - compile&install new kernel, modules and iptables Marek Kierdelewicz -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070903/9d538e0a/attachment.html From indunil75 at gmail.com Mon Sep 3 11:04:54 2007 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Mon Sep 3 11:05:00 2007 Subject: [LARTC] Can we use 2 tc filter rules with the same prio Message-ID: <7ed6b0aa0709030204y5bea56a4ub09cffcc9a0395e1@mail.gmail.com> Hi ALL, I am using below script for DOWNLOADING. it is only for HTTP and HTTPS. I have given the same prio for both. (i.e prio 1). pls see my script given below. (last 2 lines of the script where I have highlighted in BOLD letters) Can I have 2 tc filter rules with the same prio? What is the proper method to write? MY SCRIPT IS BELOW #traffic shaping on eth1 (Downloading) INTERFAZ_LAN=eth1 FULLBANDWIDTH=256 BANDWIDTH4LAN=64 tc qdisc del root dev $INTERFAZ_LAN tc qdisc add dev $INTERFAZ_LAN root handle 1: htb r2q 4 tc class add dev $INTERFAZ_LAN parent 1: classid 1:2 htb rate "$FULLBANDWIDTH"Kbit tc class add dev $INTERFAZ_LAN parent 1: classid 1:5 htb rate "$BANDWIDTH4LAN"Kbit tc qdisc add dev $INTERFAZ_LAN parent 1:5 handle 5: sfq perturb 10 tc filter add dev $INTERFAZ_LAN parent 1: protocol ip prio 1 u32 match ip sport 80 0xffff match ip dst 192.168.102.0/24 classid 1:5 tc filter add dev $INTERFAZ_LAN parent 1: protocol ip prio 1 u32 match ip sport 443 0xffff match ip dst 192.168.102.0/24 classid 1:5 YOUR COMMENTS NEEDED. -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070903/6b2a659b/attachment.htm From lartc at dervishd.net Mon Sep 3 11:17:29 2007 From: lartc at dervishd.net (DervishD) Date: Mon Sep 3 11:16:58 2007 Subject: [LARTC] About "b" meaning "byte" and bit In-Reply-To: <7ed6b0aa0709022121y660a8e35j998e3f2246817263@mail.gmail.com> References: <20070831162624.GA6133@DervishD> <7ed6b0aa0709022121y660a8e35j998e3f2246817263@mail.gmail.com> Message-ID: <20070903091729.GA24496@DervishD> Hi Indunil :) * Indunil Jayasooriya dixit: > On 8/31/07, DervishD wrote: > > Hi all :) > > > > I think that this issue has already been discussed on this list, but > > google didn't find anything interesting, so I'm bringing the subject > > again. > > > > The output of "tc" uses "b" meaning "byte" and "bit" for "bit". The > > "official" suffixes for those units are "B" and "b", respectively, and > > on top of this, I'm not sure if "kbit" means "kilobit" or "kibibit" in > > "tc" output. > > > > SEE below that was taken form this URL > > http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm > > > Please read: tc tool (not only HTB) uses shortcuts to denote units of rate. > kbps means kilobytes and kbit means kilobits ! This is the most FAQ about tc > in linux. Yes, I already knew that, what I was asking is why SI units are not used and "shortcuts" are used instead: see my original message, I was not sure if kilobit was being used correctly (meaning 1000 bits) or if it was being used mistakenly for kibibit (1024 bits), and on top of that, why "b" was being used as byte when the SI prefix for byte is "B". I mean, tc doesn't seem to follow any standard except maybe in kilobit (which should be then used as kb, not kbit). Ra?l N??ez de Arenas Coronado -- Linux Registered User 88736 | http://www.dervishd.net It's my PC and I'll cry if I want to... RAmen! We are waiting for 13 Feb 2009 23:31:30 +0000 ... From vadtec at vadtec.net Mon Sep 3 14:05:53 2007 From: vadtec at vadtec.net (Vadtec) Date: Mon Sep 3 14:06:17 2007 Subject: [LARTC] Question about how TC enforces bandwidth limiting Message-ID: <46DBF8A0.5080504@vadtec.net> Hello, I run one of my PCs as my personal router, with iptables+tc to control traffic and be my firewall. In TC, I use a combination of htb, qdisc and sfq (as well as prio) to classify bandwidth. In my current setup, I have 10 classifications of my bandwidth. (Even I admit this is probably more than I need, but at this point I'm still learning, so I'll just leave them be.) This leads me to my question about how TC enforces maximum bandwidth limits. I am on DSL internet with rates 1.5Mbps/384kbps. I do not make complete use of my pipe just in case of a massive burst. I know I will probably not burst such a massive burst, but its better to be safe than sorry. To help understand this, here are the classes and their associated bandwidths as I have them set in TC: (MAX_RATE is 360kbps) $TC qdisc add dev $IFext root handle 1: htb default 90 $TC class add dev $IFext parent 1: classid 1:1 htb rate $MAX_RATE quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:10 htb rate 240kbps ceil $MAX_RATE prio 0 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:20 htb rate 192kbps ceil $MAX_RATE prio 1 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:30 htb rate 80kbps ceil $MAX_RATE prio 2 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:40 htb rate 64kbps ceil $MAX_RATE prio 3 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:50 htb rate 32kbps ceil $MAX_RATE prio 4 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:60 htb rate 20kbps ceil $MAX_RATE prio 5 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:70 htb rate 16kbps ceil $MAX_RATE prio 6 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:80 htb rate 8kbps ceil $MAX_RATE prio 7 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:90 htb rate 2kbps ceil $MAX_RATE prio 8 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:100 htb rate 2kbps ceil 20kbps prio 9 quantum $QUANTUM $TC qdisc add dev $IFext parent 1:10 handle 10: sfq perturb 10 $TC qdisc add dev $IFext parent 1:20 handle 20: sfq perturb 10 $TC qdisc add dev $IFext parent 1:30 handle 30: sfq perturb 10 $TC qdisc add dev $IFext parent 1:40 handle 40: sfq perturb 10 $TC qdisc add dev $IFext parent 1:50 handle 50: sfq perturb 10 $TC qdisc add dev $IFext parent 1:60 handle 60: sfq perturb 10 $TC qdisc add dev $IFext parent 1:70 handle 70: sfq perturb 10 $TC qdisc add dev $IFext parent 1:80 handle 80: sfq perturb 10 $TC qdisc add dev $IFext parent 1:90 handle 90: sfq perturb 10 $TC qdisc add dev $IFext parent 1:100 handle 100: sfq perturb 10 Class 90 is the default. Class 100 is a special class, and what my question specifically relates to. Class 100 is for bit torrent. I do not like the other people in my house using very much bandwidth for torrenting as it has a tendency to slow things down to greatly. The problem I have is this: when I disable a given torrent clients upload limits, the bandwidth climbs to above the 20kbps limit I have set for it. When I classify the traffic in iptables, i put it into class 100, so it shouldn't getting put into the default class. While I understand how/why TC enforces minimum bandwidth for a given class, why is it that for class 100 TC is not enforcing the cap of 20kbps to traffic that it is classified at? Is there something else I need to do to make TC also enforce arbitrary maximum limits for a given classification? Vadtec From bojleros at poczta.fm Mon Sep 3 15:58:11 2007 From: bojleros at poczta.fm (bartekR) Date: Mon Sep 3 15:58:46 2007 Subject: [LARTC] Classes do not receive any traffic ? Message-ID: <46DC12F3.6010101@poczta.fm> Hello everyone. CONFIGURATION DESCRIPTION: I have a linux box doing masquerade for two lan's. Here is a piece of mine network config: eth0 : ISP , one public ip address (DSL modem) eth1 : lan , private network address fe: 192.168.4.0/24 eth2 : wlan access point performing as lan2wlan bridge , private network addes fe. 192.168.67.0/24 This box use 2.6.20 kernel with iptables-1.3.8 and iproute-2.6.20-070313. I also use imq hooked as AB. I have tried to shape eth0's incoming traffic using imq0 : ===============================start==================================== ifconfig imq0 txqueuelen 30 up tc qdisc add dev imq0 root handle 1: htb ${root_parm} #this class have speed corresponding to maximum achieved speed of isp connection in particular direction tc class add dev imq0 parent 1:0 classid 1:1 htb rate ${rate_sum} ceil ${rate_sum} burst 0kb cburst 0kb ${quantum_sum} # summarized prio class tc class add dev imq0 parent 1:1 classid 1:2 htb rate ${rate_prio_sum} ceil ${rate_prio_sum} burst 0kb cburst 0kb ${quantum_prio_sum} #critical prio tc class add dev imq0 parent 1:2 classid 1:3 htb prio ${prio_crit} rate ${rate_crit} ceil ${ceil_crit} burst 0kb cburst 0kb ${quantum_crit} tc filter add dev imq0 parent 1:0 protocol ip prio 0 u32 match mark 3 0xffff flowid 1:3 #prio voip tc class add dev imq0 parent 1:2 classid 1:4 htb prio ${prio_voip} rate ${rate_voip} ceil ${ceil_voip} burst 0kb cburst 0kb ${quantum_voip} tc filter add dev imq0 parent 1:0 protocol ip prio 1 u32 match mark 4 0xffff flowid 1:4 #games tc class add dev imq0 parent 1:2 classid 1:5 htb prio ${prio_ent} rate ${rate_ent} ceil ${ceil_ent} burst 0kb cburst 0kb ${quantum_ent} tc filter add dev imq0 parent 1:0 protocol ip prio 2 u32 match mark 5 0xffff flowid 1:5 # summarized class for generic unclassified traffic tc class add dev imq0 parent 1:1 classid 1:6 htb rate ${rate_user_sum} ceil ${rate_user_sum} burst 0kb cburst 0kb ${quantum_user_sum} #generic server traffic tc class add dev imq0 parent 1:6 classid 1:7 htb prio ${prio_srv} rate ${rate_srv} ceil ${ceil_srv} burst 0kb cburst 0kb ${quantum_srv} tc filter add dev imq0 parent 1:0 protocol ip prio 4 u32 match ip ${dev[3]} $server_public_ip flowid 1:7 #default class tc class add dev imq0 parent 1:6 classid 1:8 htb prio 7 rate 1kbps ceil 1kbps burst 0kb cburst 0kb quantum 1500 # fe. single user class tc class add dev imq0 parent 1:6 classid 1:30 htb prio ${prio_user} rate ${rate_user} ceil ${ceil_user} burst 0kb cburst 0kb ${quantum_user} tc filter add dev imq0 parent 1:0 protocol ip prio 5 u32 match ip ${dev[3]} 192.168.4.5 flowid 1:30 #Each user has his own class for traffic that were not classified for #prio classes. Other traffic is probably traffic from "unofficial users #so they receive what they deserve :). #This two functions are responsible for setting up iptables and imq hooking. skype() { #Nasty workaround for skype if [ ! -r /tmp/1 -o ! -r /tmp/2 ] ; then touch /tmp/1 /tmp/2 find /etc/l7-protocols/protocols/ -type f -name *pat |cut -d/ -f5 | cut -d. -f1 >/tmp/1 sed '/skype*/d;/finger*/d;/biff*/d;/whois*/d;/tsp*/d;/ntp*/d;/unknown*/d;/sip*/d;/h232*/d;/teamspeak*/d;/ventrilo*/d;/ssh*/d;/jabber*/d;/aim*/d;/msnmessenger*/d;/yahoo*/d;/qq*/d;/battlefield1942/d;/battlefield2/d;/counterstrike-source*/d;/dayofdefeat-source*/d;/doom3*/d;/halflife2-deathmatch*/d;/mohaa*/d;/quake-halflife*/d;/quake1*/d;/worldofwarcraft*/d' /tmp/1 > /tmp/2 fi i=`cat /tmp/2|wc -l` j=1 iptables -t mangle -N ${dev[2]}_SKYPE iptables -t mangle -A ${dev[2]}_SKYPE -p tcp --sport 1:1024 -j RETURN iptables -t mangle -A ${dev[2]}_SKYPE -p udp --sport 1:1024 -j RETURN iptables -t mangle -A ${dev[2]}_SKYPE -p tcp --dport 1:1024 -j RETURN iptables -t mangle -A ${dev[2]}_SKYPE -p udp --dport 1:1024 -j RETURN while [ ${j} -le ${i} ]; do iptables -t mangle -A ${dev[2]}_SKYPE -m layer7 --l7proto `sed -n ${j}p /tmp/2` -j RETURN j=$(($j+1)) done iptables -t mangle -A ${dev[2]}_SKYPE -m layer7 --l7proto skypetoskype -j ${dev[2]}_CON_VOIP iptables -t mangle -A ${dev[2]}_SKYPE -m layer7 --l7proto skypeout -j ${dev[2]}_CON_VOIP>/dev/null 1>/dev/null 2>/dev/null 3>/dev/null 4>/dev/null iptables -t mangle -A ${dev[2]}_SKYPE -j RETURN } ipt_int() { iptables -t mangle -N ${dev[2]}_CHECK iptables -t mangle -N ${dev[2]}_IMQ iptables -t mangle -N ${dev[2]}_PRIO if [[ ${dev[0]} =~ 'imq0' ]] ; then iptables -t mangle -A ${dev[2]}_PRIO -j MARK --set-mark 3 elif [[ ${dev[0]} =~ 'eth0' ]] ; then iptables -t mangle -A ${dev[2]}_PRIO -j CLASSIFY --set-class 1:3 else exit 1 fi iptables -t mangle -A ${dev[2]}_PRIO -j ${dev[2]}_IMQ iptables -t mangle -N ${dev[2]}_CON_PRIO if [[ ${dev[0]} =~ 'imq0' ]] ; then iptables -t mangle -A ${dev[2]}_CON_PRIO -j MARK --set-mark 3 elif [[ ${dev[0]} =~ 'eth0' ]] ; then iptables -t mangle -A ${dev[2]}_CON_PRIO -j CLASSIFY --set-class 1:3 else exit 1 fi iptables -t mangle -A ${dev[2]}_CON_PRIO -j CONNMARK --save-mark iptables -t mangle -A ${dev[2]}_CON_PRIO -j ${dev[2]}_IMQ iptables -t mangle -N ${dev[2]}_CON_VOIP if [[ ${dev[0]} =~ 'imq0' ]] ; then iptables -t mangle -A ${dev[2]}_CON_VOIP -j MARK --set-mark 4 elif [[ ${dev[0]} =~ 'eth0' ]] ; then iptables -t mangle -A ${dev[2]}_CON_VOIP -j CLASSIFY --set-class 1:4 else echo co? nie tak w 'ip_int()' exit 1 fi iptables -t mangle -A ${dev[2]}_CON_VOIP -j CONNMARK --save-mark iptables -t mangle -A ${dev[2]}_CON_VOIP -j ${dev[2]}_IMQ iptables -t mangle -N ${dev[2]}_CON_GRY if [[ ${dev[0]} =~ 'imq0' ]] ; then iptables -t mangle -A ${dev[2]}_CON_GRY -j MARK --set-mark 5 elif [[ ${dev[0]} =~ 'eth0' ]] ; then iptables -t mangle -A ${dev[2]}_CON_GRY -j CLASSIFY --set-class 1:5 else exit 1 fi iptables -t mangle -A ${dev[2]}_CON_GRY -j CONNMARK --save-mark iptables -t mangle -A ${dev[2]}_CON_GRY -j ${dev[2]}_IMQ iptables -t mangle -N ${dev[2]}_GRY if [[ ${dev[0]} =~ 'imq0' ]] ; then iptables -t mangle -A ${dev[2]}_GRY -j MARK --set-mark 5 elif [[ ${dev[0]} =~ 'eth0' ]] ; then iptables -t mangle -A ${dev[2]}_GRY -j CLASSIFY --set-class 1:5 else exit 1 fi iptables -t mangle -A ${dev[2]}_GRY -j ${dev[2]}_IMQ iptables -t mangle -A ${dev[2]}_CHECK -m length --length 1:64 -p tcp --tcp-flags SYN,FIN,ACK ACK -j ${dev[2]}_PRIO iptables -t mangle -A ${dev[2]}_CHECK -p tcp --tcp-flags SYN,ACK,FIN SYN -j ${dev[2]}_PRIO iptables -t mangle -A ${dev[2]}_CHECK -p tcp --tcp-flags SYN,ACK,FIN SYN,ACK -j ${dev[2]}_PRIO iptables -t mangle -A ${dev[2]}_CHECK -p tcp --tcp-flags SYN,ACK,FIN FIN,ACK -j ${dev[2]}_PRIO iptables -t mangle -A ${dev[2]}_CHECK -p icmp --icmp-type echo-request -j ${dev[2]}_GRY iptables -t mangle -A ${dev[2]}_CHECK -p icmp --icmp-type echo-reply -j ${dev[2]}_GRY iptables -t mangle -A ${dev[2]}_CHECK -j CONNMARK --restore-mark iptables -t mangle -A ${dev[2]}_CHECK -m mark ! --mark 0 -j ${dev[2]}_IMQ iptables -t mangle -A ${dev[2]}_CHECK -p tcp -m multiport --ports 22,53,65522 -j ${dev[2]}_CON_PRIO iptables -t mangle -A ${dev[2]}_CHECK -p udp -m multiport --ports 22,53,65522 -j ${dev[2]}_CON_PRIO iptables -t mangle -A ${dev[2]}_CHECK -p tcp -m iprange --${dev[4]}-range 217.17.41.80-217.17.41.95 -m multiport --${dev[6]}ports 8074,443 -j ${dev[2]}_CON_PRIO iptables -t mangle -A ${dev[2]}_CHECK -p tcp -m iprange --${dev[4]}-range 217.17.45.128-217.17.45.159 -m multiport --${dev[6]}ports 8074,443 -j ${dev[2]}_CON_PRIO iptables -t mangle -A ${dev[2]}_CHECK -m layer7 --l7proto ssh -j ${dev[2]}_CON_PRIO iptables -t mangle -A ${dev[2]}_CHECK -m layer7 --l7proto sip -j ${dev[2]}_CON_VOIP iptables -t mangle -A ${dev[2]}_CHECK -m layer7 --l7proto h323 -j ${dev[2]}_CON_VOIP iptables -t mangle -A ${dev[2]}_CHECK -m layer7 --l7proto teamspeak -j ${dev[2]}_CON_VOIP iptables -t mangle -A ${dev[2]}_CHECK -m layer7 --l7proto ventrilo -j ${dev[2]}_CON_VOIP iptables -t mangle -A ${dev[2]}_CHECK -m layer7 --l7proto jabber -j ${dev[2]}_CON_PRIO iptables -t mangle -A ${dev[2]}_CHECK -m layer7 --l7proto aim -j ${dev[2]}_CON_PRIO iptables -t mangle -A ${dev[2]}_CHECK -m layer7 --l7proto msnmessenger -j ${dev[2]}_CON_PRIO iptables -t mangle -A ${dev[2]}_CHECK -m layer7 --l7proto yahoo -j ${dev[2]}_CON_PRIO iptables -t mangle -A ${dev[2]}_CHECK -m layer7 --l7proto qq -j ${dev[2]}_CON_PRIO iptables -t mangle -A ${dev[2]}_CHECK -m layer7 --l7proto battlefield1942 -j ${dev[2]}_CON_GRY iptables -t mangle -A ${dev[2]}_CHECK -m layer7 --l7proto battlefield2 -j ${dev[2]}_CON_GRY iptables -t mangle -A ${dev[2]}_CHECK -m layer7 --l7proto counterstrike-source -j ${dev[2]}_CON_GRY iptables -t mangle -A ${dev[2]}_CHECK -m layer7 --l7proto dayofdefeat-source -j ${dev[2]}_CON_GRY iptables -t mangle -A ${dev[2]}_CHECK -m layer7 --l7proto doom3 -j ${dev[2]}_CON_GRY iptables -t mangle -A ${dev[2]}_CHECK -m layer7 --l7proto halflife2-deathmatch -j ${dev[2]}_CON_GRY iptables -t mangle -A ${dev[2]}_CHECK -m layer7 --l7proto mohaa -j ${dev[2]}_CON_GRY iptables -t mangle -A ${dev[2]}_CHECK -m layer7 --l7proto quake-halflife -j ${dev[2]}_CON_GRY iptables -t mangle -A ${dev[2]}_CHECK -m layer7 --l7proto quake1 -j ${dev[2]}_CON_GRY iptables -t mangle -A ${dev[2]}_CHECK -m layer7 --l7proto worldofwarcraft -j ${dev[2]}_CON_GRY skype iptables -t mangle -A ${dev[2]}_CHECK -j ${dev[2]}_SKYPE iptables -t mangle -A ${dev[2]}_CHECK -p tcp -m multiport --ports 27000:27030,28960 -j ${dev[2]}_CON_GRY iptables -t mangle -A ${dev[2]}_CHECK -p udp -m multiport --ports 27000:27030,27901,27960,28960,28960,28960,14567,16567 -j ${dev[2]}_CON_GRY iptables -t mangle -A ${dev[2]}_CHECK -j ${dev[2]}_IMQ iptables -t mangle -N ${dev[2]}_KONIEC iptables -t mangle -A ${dev[2]}_KONIEC -j RETURN if [[ ${dev[0]} =~ 'imq(.*)' ]] ; then export numdev=${BASH_REMATCH[1]} iptables -t mangle -A ${dev[2]}_IMQ -j IMQ --todev ${numdev} fi iptables -t mangle -A ${dev[2]}_IMQ -j ${dev[2]}_KONIEC if [[ ${dev[2]} =~ 'DL' ]] ; then iptables -t mangle -I ${dev[7]} -i ${dev[1]} -j ${dev[2]}_CHECK elif [[ ${dev[2]} =~ 'UL' ]] ; then iptables -t mangle -I ${dev[7]} -o ${dev[1]} -j ${dev[2]}_CHECK else exit 1 fi } # Before invoking any function i setup correct data to dev vector: #example export dev=(imq0 eth0 DL dst src d s PREROUTING) ===============================stop=================================== I know that my script is really complex one. Check this simplified diagram to understand general idea: -----| P | R | E R| O| /=YES=>[prio]=> O U| || R T|=>(?mark!=0?)=NO=>(?prio?)=NO=>(?valid user?)=NO=>[def]=> I| || || P N| \=YES=> \=YES=>[user]=> O G| S | T | -----| [] - classifying for proper class (mark or u32) - packet travels to imq or leaves PRE,POSTROUTING QUESTIONS AND PROBLEM DESCRIPTION: 1.Main problem. It seems that classes on imq0 that should shape incoming traffic from internet do not recognizes marks. Fw match don't work. U32 match works except matching marks. The only classes that receive traffic on imq0 are server class and user classes. Similar problem occurred on eth0(upload) but I managed to solve this problem by using -j CLASSIFY instead -j MARK. When I tried to fix this problem I have learned that this may be caused by the way tc and iptables are works together.I am sure that marks are set and IMQ target works (non zero iptables/ifconfig counters) . I think that it is possible for u32 matches to classify traffic before any mark is set. Unfortunately kptd is out of date so it is not certain to me. Would somebody explain me why fwmark do not work on imq0 ? 2. I have found that when i try to ping from host in lan to host in internet every fifth icmp packet has significantly higher delay. F.e. four packets goes trough with delay approx 15ms but next packet have delay up to 100ms ! I suppose that it may be caused by to big txqueuelen so i decreased it from 1000 to 30 on all interfaces without any problems with lesser bandwidth or packet looses. Could somebody advice proper value for txqueuelen if it was a good idea to change it. I have 1Mbit/256kbit DSL modem. 3. Is it a good idea to set proper ToS value for a outbound traffic that was classified as prio ?? Would it give any decrease in delays ?? I hope I will find someone helpful and also very tolerant for mine poor English ... Posting on LTARC is the only way to solve mine problems.... Bartek ---------------------------------------------------------------------- Bedac w WC czytala wiadomosci. >>> http://link.interia.pl/f1b71 From arman.anwar at gmail.com Mon Sep 3 19:57:06 2007 From: arman.anwar at gmail.com (Arman) Date: Mon Sep 3 19:57:13 2007 Subject: [LARTC] 2 ISP connection sharing problem Message-ID: <13c1e7670709031057t7aed1468o72161ac6e70503f6@mail.gmail.com> I have divided my network into 2 parts now that is 193.168.3.127/25 and 192.168.3.128/25. I want to route part1 to ISP1 and Part 2 to ISP2. I have made changes into rules. But I think my Tables T1,T2 are not used and default table is in use. How can I command to use tables T1,T2 instead of default table. route command output is Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.3.0 * 255.255.255.0 U 0 0 0 eth0 203.81.213.0 * 255.255.255.0 U 0 0 0 eth2 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 169.254.0.0 * 255.255.0.0 U 0 0 0 eth2 default 203.81.213.1 0.0.0.0 UG 0 0 0 eth2 -- Regards, Arman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070903/3ddd7686/attachment.html From martin at linux-ip.net Mon Sep 3 20:09:11 2007 From: martin at linux-ip.net (Martin A. Brown) Date: Mon Sep 3 20:09:46 2007 Subject: [LARTC] 2 ISP connection sharing problem In-Reply-To: <13c1e7670709031057t7aed1468o72161ac6e70503f6@mail.gmail.com> References: <13c1e7670709031057t7aed1468o72161ac6e70503f6@mail.gmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Arman, : I have divided my network into 2 parts now that is : 193.168.3.127/25 and 192.168.3.128/25. According to this output, below, you have not divided your /24 into two different networks, and it's really not clear exactly what you are asking. Neither of these show up in your routing table: 192.168.3.0/25 (netmask 255.255.255.128) 192.168.3.128/25 (netmask 255.255.255.128) : Destination Gateway Genmask Flags Metric Ref Use : Iface : 192.168.3.0 * 255.255.255.0 U 0 0 0 eth0 : 203.81.213.0 * 255.255.255.0 U 0 0 0 eth2 : 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 : 169.254.0.0 * 255.255.0.0 U 0 0 0 eth2 : default 203.81.213.1 0.0.0.0 UG 0 0 0 eth2 : I want to route part1 to ISP1 and Part 2 to ISP2. Without further data ("ip rule show", "ip route show table $ALT") we cannot know which interface your ISP2 is reachable through. : I have made changes into rules. But I think my Tables T1,T2 are : not used and default table is in use. How can I command to use : tables T1,T2 instead of default table. route command output is There are a number of resources you might wish to examine first. I would recommend first understanding the RPDB lookup mechanism [0] and then following the steps for multiple uplinks in the (venerable) LARTC documentation [1]. You may find it fruitful to simulate the route lookup on a packet by packet basis by learning how to use the "ip route get" command: # ip route get iif eth4 70.14.115.3 from XX.YY.204.58 70.14.115.3 from XX.YY.204.58 via XX.YY.204.1 dev eth8 src 192.168.4.1 cache mtu 1500 advmss 1460 metric10 64 iif eth4 # ip route get iif eth3 70.14.115.3 from 192.168.3.117 70.14.115.3 from 192.168.3.117 via XX.YY.204.1 dev eth7 src 192.168.3.1 cache mtu 1500 advmss 1460 metric10 64 iif eth3 Good luck, - -Martin [0] http://linux-ip.net/html/routing-selection.html http://linux-ip.net/html/routing-selection.html#routing-selection-adv [1] http://lartc.org/howto/lartc.rpdb.multiple-links.html - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFG3E3iHEoZD1iZ+YcRApZPAJwNhRk25oxC17Zmgy2sLNtBq7HRoACdGk/P p07vvD2W9yfFK+Ws/wPAjT0= =BAoI -----END PGP SIGNATURE----- From marek at piasta.pl Mon Sep 3 20:12:10 2007 From: marek at piasta.pl (Marek Kierdelewicz) Date: Mon Sep 3 20:12:34 2007 Subject: [LARTC] 2 ISP connection sharing problem In-Reply-To: <13c1e7670709031057t7aed1468o72161ac6e70503f6@mail.gmail.com> References: <13c1e7670709031057t7aed1468o72161ac6e70503f6@mail.gmail.com> Message-ID: <20070903201210.654ab7ee@catlap> Hi >I have divided my network into 2 parts now that is 193.168.3.127/25 and >192.168.3.128/25. I want to route part1 to ISP1 and Part 2 to ISP2. I >have made changes into rules. But I think my Tables T1,T2 are not used >and default table is in use. How can I command to use tables T1,T2 What is the output of "ip ru sh" command on your router? cheers, Marek Kierdelewicz From pankoAA at yandex.ru Mon Sep 3 20:15:57 2007 From: pankoAA at yandex.ru (Pan'ko Alexander) Date: Mon Sep 3 20:16:08 2007 Subject: [LARTC] 2 ISP connection sharing problem In-Reply-To: <13c1e7670709031057t7aed1468o72161ac6e70503f6@mail.gmail.com> References: <13c1e7670709031057t7aed1468o72161ac6e70503f6@mail.gmail.com> Message-ID: On Mon, 3 Sep 2007 22:57:06 +0500 Arman wrote: > I have divided my network into 2 parts now that is 193.168.3.127/25 and > 192.168.3.128/25. I want to route part1 to ISP1 and Part 2 to ISP2. I have > made changes into rules. But I think my Tables T1,T2 are not used and > default table is in use. How can I command to use tables T1,T2 instead of > default table. route command output is > > Destination Gateway Genmask Flags Metric Ref Use > Iface > 192.168.3.0 * 255.255.255.0 U 0 0 0 eth0 > 203.81.213.0 * 255.255.255.0 U 0 0 0 eth2 > 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 > 169.254.0.0 * 255.255.0.0 U 0 0 0 eth2 > default 203.81.213.1 0.0.0.0 UG 0 0 0 eth2 > What is in rules? ip rule list You need there: xxxx: from 193.168.3.127/25 lookup T1 xxxx: from 193.168.3.128/25 lookup T2 Then you need NAT. That is all... -- With best regards, Pan'ko Alexander. From netsecuredata at gmail.com Mon Sep 3 20:17:20 2007 From: netsecuredata at gmail.com (Jorge Evangelista) Date: Mon Sep 3 20:17:37 2007 Subject: [LARTC] 2 ISP connection sharing problem In-Reply-To: References: <13c1e7670709031057t7aed1468o72161ac6e70503f6@mail.gmail.com> Message-ID: Hi Arman, If you want to route part1 to ISP1 and Part 2 to ISP2. You should have the following rules ip rule add from 193.168.3.0/25 to 0.0.0.0/0 table 100 ip route add default via 192.168.1.1 table 100 ip rule add from 192.168.3.128/25 to 0.0.0.0/0 table 200 ip route add default via 203.81.213.1 table 200 On 9/3/07, Martin A. Brown wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Arman, > > : I have divided my network into 2 parts now that is > : 193.168.3.127/25 and 192.168.3.128/25. > > According to this output, below, you have not divided your /24 into > two different networks, and it's really not clear exactly what you > are asking. Neither of these show up in your routing table: > > 192.168.3.0/25 (netmask 255.255.255.128) > 192.168.3.128/25 (netmask 255.255.255.128) > > : Destination Gateway Genmask Flags Metric Ref Use > : Iface > : 192.168.3.0 * 255.255.255.0 U 0 0 0 eth0 > : 203.81.213.0 * 255.255.255.0 U 0 0 0 eth2 > : 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 > : 169.254.0.0 * 255.255.0.0 U 0 0 0 eth2 > : default 203.81.213.1 0.0.0.0 UG 0 0 0 eth2 > > : I want to route part1 to ISP1 and Part 2 to ISP2. > > Without further data ("ip rule show", "ip route show table $ALT") we > cannot know which interface your ISP2 is reachable through. > > : I have made changes into rules. But I think my Tables T1,T2 are > : not used and default table is in use. How can I command to use > : tables T1,T2 instead of default table. route command output is > > There are a number of resources you might wish to examine first. I > would recommend first understanding the RPDB lookup mechanism [0] > and then following the steps for multiple uplinks in the (venerable) > LARTC documentation [1]. > > You may find it fruitful to simulate the route lookup on a > packet by packet basis by learning how to use the "ip route get" > command: > > # ip route get iif eth4 70.14.115.3 from XX.YY.204.58 > 70.14.115.3 from XX.YY.204.58 via XX.YY.204.1 dev eth8 src 192.168.4.1 > cache mtu 1500 advmss 1460 metric10 64 iif eth4 > # ip route get iif eth3 70.14.115.3 from 192.168.3.117 > 70.14.115.3 from 192.168.3.117 via XX.YY.204.1 dev eth7 src 192.168.3.1 > cache mtu 1500 advmss 1460 metric10 64 iif eth3 > > Good luck, > > - -Martin > > [0] http://linux-ip.net/html/routing-selection.html > http://linux-ip.net/html/routing-selection.html#routing-selection-adv > [1] http://lartc.org/howto/lartc.rpdb.multiple-links.html > > - -- > Martin A. Brown > http://linux-ip.net/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) > > iD8DBQFG3E3iHEoZD1iZ+YcRApZPAJwNhRk25oxC17Zmgy2sLNtBq7HRoACdGk/P > p07vvD2W9yfFK+Ws/wPAjT0= > =BAoI > -----END PGP SIGNATURE----- > -- "The network is the computer" From martin at linux-ip.net Mon Sep 3 20:43:57 2007 From: martin at linux-ip.net (Martin A. Brown) Date: Mon Sep 3 20:44:26 2007 Subject: [LARTC] Question about how TC enforces bandwidth limiting In-Reply-To: <46D758ED.2030705@vadtec.net> References: <46D758ED.2030705@vadtec.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vadtec, I think you may be making two of the most common problems facing novices working with traffic control, so I hope you don't mind my picking on you! Problem #0 - ---------- You are applying your shaping on the outbound traffic (presuming that "$IFext" is your external interface. Unless you also have shaping on your inbound traffic ("$IFint"?), then you are only applying shaping characteristics to the upload traffic. This brings us back to two fundamental rules of traffic shaping: * For optimal results, your shaping device should be the bottleneck, so that it can act as the traffic flow valve. * You can only shape what you transmit. If your edge device is performing shaping, then it should shape upload traffic by a policy applied to the external interface and it should shape download traffic by policy applied to the internal interface. In short, add a similar set of HTB + SFQ queues to your internal interface, along with the appropriate classifiers and try again. : While I understand how/why TC enforces minimum bandwidth for a : given class, why is it that for class 100 TC is not enforcing the : cap of 20kbps to traffic that it is classified at? Is there : something else I need to do to make TC also enforce arbitrary : maximum limits for a given classification? : : I am on DSL internet with rates 1.5Mbps/384kbps. That 1.5Mbps (conventional networking terminology and units) is written as 1.5Mbit in terms used by tc. Problem #1 - ---------- I think you may be making an error in your units. This is one of the most frequent problems when people start using "tc". Since "tc" sprang from the primordial soup, the following units are used: bps = bytes per second bit = bits per second The unfortunate problem with this marking for units is that we say many other places in networking that bits per second is bps. This is not true with tc. So, if I look at your rate specifications below, they look off by a factor of 8. Please try altering all instances of "kbps" to "kbit" and try your script again. See also these URLs [0] [1] [2]. : I do not make complete use of my pipe just in case of a massive : burst. I know I will probably not burst such a massive burst, but : its better to be safe than sorry. This is wise. : Class 90 is the default. Class 100 is a special class, and what : my question specifically relates to. Class 100 is for bit : torrent. I do not like the other people in my house using very : much bandwidth for torrenting as it has a tendency to slow things : down to greatly. If you place FIFOs in any of your HTB leaf classes, you can vary the depth of the FIFO queue to help control latency, in addition to that class's total throughput. This is a cheap and dirty way to accomplish this task. : The problem I have is this: when I disable a given torrent : clients upload limits, the bandwidth climbs to above the 20kbps : limit I have set for it. When I classify the traffic in iptables, : i put it into class 100, so it shouldn't getting put into the : default class. While you are starting and stopping your torrent client, you should also take a look at the class statistics: watch -n 1 tc -s class show dev $INTERFACE_NAME This will allow you to see which class is being used to carry that traffic. Good luck, - -Martin [0] http://www.docum.org/docum.org/faq/cache/74.html [1] http://mailman.ds9a.nl/pipermail/lartc/2003q4/010826.html [2] http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFG3FYGHEoZD1iZ+YcRAr3NAKC2Iq1mtkEwd3edzU8mY6CQx/PuKgCggE0F hcIyU0L25TYNwMkXGcjusWw= =ifyk -----END PGP SIGNATURE----- From vadtec at vadtec.net Mon Sep 3 22:15:20 2007 From: vadtec at vadtec.net (Vadtec) Date: Mon Sep 3 22:15:37 2007 Subject: [LARTC] Question about how TC enforces bandwidth limiting In-Reply-To: References: <46D758ED.2030705@vadtec.net> Message-ID: <46DC6B58.3090604@vadtec.net> Martin A. Brown wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Vadtec, > > I think you may be making two of the most common problems facing > novices working with traffic control, so I hope you don't mind my > picking on you! > Not at all. :) > Problem #0 > - ---------- > You are applying your shaping on the outbound traffic (presuming > that "$IFext" is your external interface. Unless you also have > shaping on your inbound traffic ("$IFint"?), then you are only > applying shaping characteristics to the upload traffic. This brings > us back to two fundamental rules of traffic shaping: > $IFext is eth0, and is my link to my DSL Modem. $IFint would be eth1, which is my interface to my LAN (though I am not shaping traffic on it in any way). Both of these devices plug into my 24 port switch, which the DSL modem is hooked into, as well as all the other computers in the house. So just for clarity sake, here are the port assignments on the switch: Port 1 - DSL Modem uplink Port 2 - $IFext (eth0) on my router PC Port 3 - $IFint (eth1) on my router PC Port 4 - My laptop Port 5 - My brothers PC Port 6/25 - Unused currently, but used at random as needed. > * For optimal results, your shaping device should be the > bottleneck, so that it can act as the traffic flow valve. > * You can only shape what you transmit. If your edge device is > performing shaping, then it should shape upload traffic by a > policy applied to the external interface and it should shape > download traffic by policy applied to the internal interface. > > In short, add a similar set of HTB + SFQ queues to your internal > interface, along with the appropriate classifiers and try again. > So you are saying I have to not only do traffic shaping, but also traffic policing on my internal device? Or do I have to do traffic shaping on both devices and no traffic policing? In other words, how much traffic shaping/policing do I need to put into effect, and on which interfaces. > : While I understand how/why TC enforces minimum bandwidth for a > : given class, why is it that for class 100 TC is not enforcing the > : cap of 20kbps to traffic that it is classified at? Is there > : something else I need to do to make TC also enforce arbitrary > : maximum limits for a given classification? > : > : I am on DSL internet with rates 1.5Mbps/384kbps. > > That 1.5Mbps (conventional networking terminology and units) is > written as 1.5Mbit in terms used by tc. > > Problem #1 > - ---------- > I think you may be making an error in your units. This is one of > the most frequent problems when people start using "tc". Since "tc" > sprang from the primordial soup, the following units are used: > > bps = bytes per second > bit = bits per second > > The unfortunate problem with this marking for units is that we say > many other places in networking that bits per second is bps. This > is not true with tc. So, if I look at your rate specifications > below, they look off by a factor of 8. Please try altering all > instances of "kbps" to "kbit" and try your script again. See also > these URLs [0] [1] [2]. > So, what you are saying is, its just a matter of different naming. In essence, 368kbps (conventional) is the same as 368kbit (tc), right? > : I do not make complete use of my pipe just in case of a massive > : burst. I know I will probably not burst such a massive burst, but > : its better to be safe than sorry. > > This is wise. > :) > : Class 90 is the default. Class 100 is a special class, and what > : my question specifically relates to. Class 100 is for bit > : torrent. I do not like the other people in my house using very > : much bandwidth for torrenting as it has a tendency to slow things > : down to greatly. > > If you place FIFOs in any of your HTB leaf classes, you can vary the > depth of the FIFO queue to help control latency, in addition to that > class's total throughput. This is a cheap and dirty way to > accomplish this task. > I have no idea what that means. How do I vary the depth of the FIFO to help control latency? > : The problem I have is this: when I disable a given torrent > : clients upload limits, the bandwidth climbs to above the 20kbps > : limit I have set for it. When I classify the traffic in iptables, > : i put it into class 100, so it shouldn't getting put into the > : default class. > > While you are starting and stopping your torrent client, you should > also take a look at the class statistics: > > watch -n 1 tc -s class show dev $INTERFACE_NAME > > This will allow you to see which class is being used to carry that > traffic. > I ran both watch -n 1 tc -s class show dev eth0 and watch -n 1 tc -s qdisc show eth0. (When I ran class show, i did not have enough room to see classes 80 and 90. When I ran qdisc show, I was able to see all the classes.) During my runs of tc in this manner, I saw zero traffic going to class 100 when running, starting, or stopping bit torrent. Almost all the traffic was going to class 10 and 90 (default) with the exception of my ICMP and UDP traffic which was going to class 70 and class 60 which I have set aside for IRC traffic. Class 100 saw absolutely zero traffic. Is this a case where the default class (90) is getting all the traffic because it can handle it as my LAN has very little "other" traffic most of the time to deal with, so there is no need to throttle it back? If so, how can I force a particular class to be used regardless of the default, so that I can control individual apps by them selves? > Good luck, > > - -Martin > > [0] http://www.docum.org/docum.org/faq/cache/74.html > [1] http://mailman.ds9a.nl/pipermail/lartc/2003q4/010826.html > [2] http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm > > - -- > Martin A. Brown > http://linux-ip.net/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) > > iD8DBQFG3FYGHEoZD1iZ+YcRAr3NAKC2Iq1mtkEwd3edzU8mY6CQx/PuKgCggE0F > hcIyU0L25TYNwMkXGcjusWw= > =ifyk > -----END PGP SIGNATURE----- > > Thank you for your help! Vadtec From martin at linux-ip.net Tue Sep 4 04:09:20 2007 From: martin at linux-ip.net (Martin A. Brown) Date: Tue Sep 4 04:09:54 2007 Subject: [LARTC] Question about how TC enforces bandwidth limiting In-Reply-To: <46DC6B58.3090604@vadtec.net> References: <46D758ED.2030705@vadtec.net> <46DC6B58.3090604@vadtec.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings again, : $IFext is eth0, and is my link to my DSL Modem. $IFint would be : eth1, which is my interface to my LAN (though I am not shaping : traffic on it in any way). Yes, exactly. You grasped this below, too. Recall that you can only shape what you transmit? Think about why. If you already have a packet, you can delay the transmission. This is the fundamental behaviour of all non-work conserving queues. To introduce a delay to a packet involves work. : So you are saying I have to not only do traffic shaping, but also : traffic policing on my internal device? Or do I have to do : traffic shaping on both devices and no traffic policing? In other : words, how much traffic shaping/policing do I need to put into : effect, and on which interfaces. Be careful. Shaping and policing are two very different things. I probably could have chosen a word other than "policy" to make this clear. I'll restate this. If you wish to shape upload traffic, then you must put your traffic control structures on the the device closest to the Internet. If you wish to shape download traffic, then you must put your traffic control structures on the device closest to the internal network(s). ( If you would like to see how you can break this basic rule, see some advanced traffic control structures called imq and ifb [*]. ) : So, what you are saying is, its just a matter of different : naming. In essence, 368kbps (conventional) is the same as 368kbit : (tc), right? Bingo. : I have no idea what that means. How do I vary the depth of the : FIFO to help control latency? OK, in order to vary the exact depth of the fifo to suit your fancy, you'd need to use terminal FIFOs instead of using terminal SFQs: tc qdisc add dev $INTERFACE parent 10:1 handle 100:0 pfifo limit 10 Assuming your HTB tree has a leaf class of 10:1, into which you have classified some of your traffic, you now have a very short queue there. If a burst of traffic involving more than ten packets arrives, the traffic will tail drop. In heavily congested situations, this can be useful, although this still allows for a single dominating UDP flow, so I'd probably prefer the SFQ solution, and maybe I shouldn't have brought up this little trick. : I ran both watch -n 1 tc -s class show dev eth0 and watch -n 1 tc : -s qdisc show eth0. (When I ran class show, i did not have enough : room to see classes 80 and 90. When I ran qdisc show, I was able : to see all the classes.) During my runs of tc in this manner, I : saw zero traffic going to class 100 when running, starting, or : stopping bit torrent. If you expect that the torrential traffic to appear in class 100, and it does not, then you have done something wrong in your classifier. Look there. : Almost all the traffic was going to class 10 and 90 (default) : with the exception of my ICMP and UDP traffic which was going to : class 70 and class 60 which I have set aside for IRC traffic. : Class 100 saw absolutely zero traffic. : : Is this a case where the default class (90) is getting all the : traffic because it can handle it as my LAN has very little : "other" traffic most of the time to deal with, so there is no : need to throttle it back? If so, how can I force a particular : class to be used regardless of the default, so that I can control : individual apps by them selves? Try looking at your classifiers ("tc filter" statements) to determine where the problem is. If you can't figure it out, then send the list your classifiers and class structure (tc commands). I'd skip playing with terminal FIFOs at first (if ever). Try working on the following: * switch the units to kbit * fix the classifiers and verify that you are seeing all traffic in the class you want to see the traffic in * turn the torrent client up to "insane" and watch how your IRC or ssh latency is very low Good luck, - -Martin [*] IMQ, intermediate queuing device http://www.linuximq.net/ IFB, intermediate functional block http://linux-net.osdl.org/index.php/IFB - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD4DBQFG3L5sHEoZD1iZ+YcRAso6AJjnbMjcso8t4+GugFC6eHQOyqJQAJ9kpWbZ sOS369AbZkPQ9rg3rhiawg== =gvDh -----END PGP SIGNATURE----- From vadtec at vadtec.net Tue Sep 4 14:27:36 2007 From: vadtec at vadtec.net (Vadtec) Date: Tue Sep 4 14:28:08 2007 Subject: [LARTC] Question about how TC enforces bandwidth limiting In-Reply-To: References: <46D758ED.2030705@vadtec.net> <46DC6B58.3090604@vadtec.net> Message-ID: <46DD4F38.1080905@vadtec.net> Martin A. Brown wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Greetings again, > > : So you are saying I have to not only do traffic shaping, but also > : traffic policing on my internal device? Or do I have to do > : traffic shaping on both devices and no traffic policing? In other > : words, how much traffic shaping/policing do I need to put into > : effect, and on which interfaces. > > Be careful. Shaping and policing are two very different things. I > probably could have chosen a word other than "policy" to make this > clear. I'll restate this. > > If you wish to shape upload traffic, then you must put your traffic > control structures on the the device closest to the Internet. If > you wish to shape download traffic, then you must put your traffic > control structures on the device closest to the internal network(s). > ( If you would like to see how you can break this basic rule, see > some advanced traffic control structures called imq and ifb [*]. ) > No need for advanced traffic controls for me. All I want to do is control how much band width gets out to the internet. Internally it doesn't matter as its all CAT5, so there is plenty of data pipe. > : I have no idea what that means. How do I vary the depth of the > : FIFO to help control latency? > > OK, in order to vary the exact depth of the fifo to suit your fancy, > you'd need to use terminal FIFOs instead of using terminal SFQs: > > tc qdisc add dev $INTERFACE parent 10:1 handle 100:0 pfifo limit 10 > > Assuming your HTB tree has a leaf class of 10:1, into which you have > classified some of your traffic, you now have a very short queue > there. If a burst of traffic involving more than ten packets > arrives, the traffic will tail drop. In heavily congested > situations, this can be useful, although this still allows for a > single dominating UDP flow, so I'd probably prefer the SFQ solution, > and maybe I shouldn't have brought up this little trick. > I think I'll stick to htb... > : I ran both watch -n 1 tc -s class show dev eth0 and watch -n 1 tc > : -s qdisc show eth0. (When I ran class show, i did not have enough > : room to see classes 80 and 90. When I ran qdisc show, I was able > : to see all the classes.) During my runs of tc in this manner, I > : saw zero traffic going to class 100 when running, starting, or > : stopping bit torrent. > > If you expect that the torrential traffic to appear in class 100, > and it does not, then you have done something wrong in your > classifier. Look there. > By classifier I think you mean: iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --dport 10000:10000 -j CLASSIFY --set-class 1:100 And having looked at that, I see part of my problem. --dport should be --sport as I have no way to control what port the other client wishes to use, but I do have control over what ports I use to send my data stream. > : Almost all the traffic was going to class 10 and 90 (default) > : with the exception of my ICMP and UDP traffic which was going to > : class 70 and class 60 which I have set aside for IRC traffic. > : Class 100 saw absolutely zero traffic. > : > : Is this a case where the default class (90) is getting all the > : traffic because it can handle it as my LAN has very little > : "other" traffic most of the time to deal with, so there is no > : need to throttle it back? If so, how can I force a particular > : class to be used regardless of the default, so that I can control > : individual apps by them selves? > > Try looking at your classifiers ("tc filter" statements) to > determine where the problem is. If you can't figure it out, then > send the list your classifiers and class structure (tc commands). > I ran "tc filter" on the command line, but received no output in return. I read the man page and it leads me to believe that it's not meant for viewing the filters. I also did some packet sniffing on my router PC. I am not 100% sure why yet, but, when I would filter out port 10000-10004, wireshark would return packets that had source ports other than the range I was looking for. While I cannot be sure as of yet, I think this is a result of the NAT process and the router box is using whatever port it has available while allowing my bit torrent client to send on the proper ports. (I am still learning about NAT, so I'm still confused about some things. To be honest, I would like to be able to NAT not only IPs, but ports as well so that I do not have to reconfigure things like SSH to run on non-standard ports. But thats for another mailing list. :P) One thing I did notice was, while I did see traffic in class 100 for the first time, my torrent client still showed outgoing bandwidth of more than 20kbit. Is this simply a function of the router actually limiting the traffic and the torrent client simply not knowing? Or (and I assume this is incorrect thinking) should the torrent client visibly indicate to me that it can only send at X rate because its limited? To make this much simpler, I will paste my tc rules and iptables rules (which classify my traffic) at the bottom of this e-mail. I hope you can find something (related specifically to bit torrent) that will allow me to limit torrent traffic without the need to limit each client by hand. > I'd skip playing with terminal FIFOs at first (if ever). Try > working on the following: > > * switch the units to kbit > * fix the classifiers and verify that you are seeing all traffic > in the class you want to see the traffic in > * turn the torrent client up to "insane" and watch how your IRC or > ssh latency is very low > Already done the switch to kbit. Started seeing traffic in class 100 by changing my iptables rules. Set the torrent client to unlimited outgoing bandwidth and as usual things like SSH slowed down on sending (which is a bit perplexing). As soon as I set the torrent client back down to a 20kbit limit (in the client), SSH response came back to normal. As you can see below, this is probably because I have bulk SSH traffic set in the default class (90) which should allow SSH to use 2kbit to 360kbit of bandwidth. So I am at a total loss as to why (outgoing) SSH traffic would become so slow, because it has access to more bandwidth than torrent (at least in my thinking). > Good luck, > > - -Martin > > [*] IMQ, intermediate queuing device > http://www.linuximq.net/ > IFB, intermediate functional block > http://linux-net.osdl.org/index.php/IFB > > - -- > Martin A. Brown > http://linux-ip.net/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) > > iD4DBQFG3L5sHEoZD1iZ+YcRAso6AJjnbMjcso8t4+GugFC6eHQOyqJQAJ9kpWbZ > sOS369AbZkPQ9rg3rhiawg== > =gvDh > -----END PGP SIGNATURE----- > > Thanks again for all your help. Maybe you will be able to help me learn this and figure out what I've been doing wrong. :) Vadtec -------------------------------------------------------------------------------------------------------- $IFext is of course eth0 (link to the modem) # 360kbit traffic (1:10) iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --syn -m length --length 40:68 -j CLASSIFY --set-class 1:10 iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --tcp-flags ALL SYN,ACK -m length --length 40:68 -j CLASSIFY --set-class 1:10 iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --tcp-flags ALL ACK -m length --length 40:100 -j CLASSIFY --set-class 1:10 iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --tcp-flags ALL RST -j CLASSIFY --set-class 1:10 iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --tcp-flags ALL ACK,RST -j CLASSIFY --set-class 1:10 iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --tcp-flags ALL ACK,FIN -j CLASSIFY --set-class 1:10 # 256kbit traffic (1:20) # interactive SSH traffic iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --sport 10022 -m length --length 40:100 -j CLASSIFY --set-class 1:20 iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --dport 10022 -m length --length 40:100 -j CLASSIFY --set-class 1:20 # 128kbit traffic (1:30) # interactive mail or web traffic iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp -m multiport --sport http,imap,https,imaps -j CLASSIFY --set-class 1:30 # dns lookups iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --dport domain -j CLASSIFY --set-class 1:30 # team speak iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --dport 8767 -j CLASSIFY --set-class 1:30 # 64kbit traffic (1:40) # 32kbit traffic (1:50) # SSH iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --sport 10022 -m length --length 101: -j CLASSIFY --set-class 1:50 # NFS #iptables -t mangle -A POSTROUTING -o ${IFext} -p udp --sport 2049 -j CLASSIFY --set-class 1:50 #iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --sport 2049 -j CLASSIFY --set-class 1:50 # 20kbit traffic (1:60) # default irc traffic iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --dport 6660:6669 -j CLASSIFY --set-class 1:60 iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --dport 6999 -j CLASSIFY --set-class 1:60 iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --dport 7000 -j CLASSIFY --set-class 1:60 # 16kbit traffic (1:70) # ICMP, UDP iptables -t mangle -A POSTROUTING -o ${IFext} -p udp -j CLASSIFY --set-class 1:70 iptables -t mangle -A POSTROUTING -o ${IFext} -p icmp -m length --length 28:1500 -m limit --limit 2/s --limit-burst 5 -j CLASSIFY -$ # 8kbit traffic (1:80) # 2kbit traffic (1:90) # bulk traffic iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --sport 25 -j CLASSIFY --set-class 1:90 iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --sport 10000:10004 -j CLASSIFY --set-class 1:100 <=== this is the bit torrent classifier -------------------------------------------------------------------------------------------------------- $IFext is of course eth0 (link to the modem), $QUANTUM is 1490 (due to, if I assume correctly, my MTU being 1492, in the modem), $MAX_RATE is 360kbit (360kbps conventional talk) $TC qdisc add dev $IFext root handle 1: htb default 90 $TC class add dev $IFext parent 1: classid 1:1 htb rate $MAX_RATE quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:10 htb rate 240kbit ceil $MAX_RATE prio 0 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:20 htb rate 192kbit ceil $MAX_RATE prio 1 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:30 htb rate 80kbit ceil $MAX_RATE prio 2 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:40 htb rate 64kbit ceil $MAX_RATE prio 3 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:50 htb rate 32kbit ceil $MAX_RATE prio 4 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:60 htb rate 20kbit ceil $MAX_RATE prio 5 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:70 htb rate 16kbit ceil $MAX_RATE prio 6 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:80 htb rate 8kbit ceil $MAX_RATE prio 7 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:90 htb rate 2kbit ceil $MAX_RATE prio 8 quantum $QUANTUM $TC class add dev $IFext parent 1:1 classid 1:100 htb rate 2kbit ceil 20kbit prio 9 quantum $QUANTUM $TC qdisc add dev $IFext parent 1:10 handle 10: sfq perturb 10 $TC qdisc add dev $IFext parent 1:20 handle 20: sfq perturb 10 $TC qdisc add dev $IFext parent 1:30 handle 30: sfq perturb 10 $TC qdisc add dev $IFext parent 1:40 handle 40: sfq perturb 10 $TC qdisc add dev $IFext parent 1:50 handle 50: sfq perturb 10 $TC qdisc add dev $IFext parent 1:60 handle 60: sfq perturb 10 $TC qdisc add dev $IFext parent 1:70 handle 70: sfq perturb 10 $TC qdisc add dev $IFext parent 1:80 handle 80: sfq perturb 10 $TC qdisc add dev $IFext parent 1:90 handle 90: sfq perturb 10 $TC qdisc add dev $IFext parent 1:100 handle 100: sfq perturb 10 From martin at linux-ip.net Tue Sep 4 15:02:16 2007 From: martin at linux-ip.net (Martin A. Brown) Date: Tue Sep 4 15:02:51 2007 Subject: [LARTC] Question about how TC enforces bandwidth limiting In-Reply-To: <46DD4F38.1080905@vadtec.net> References: <46D758ED.2030705@vadtec.net> <46DC6B58.3090604@vadtec.net> <46DD4F38.1080905@vadtec.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Good morning, : By classifier I think you mean: : iptables -t mangle -A POSTROUTING -o ${IFext} -p tcp --dport 10000:10000 -j : CLASSIFY --set-class 1:100 Exactly. : And having looked at that, I see part of my problem. --dport should be : --sport as I have no way to control what port : the other client wishes to use, but I do have control over what ports I use : to send my data stream. Yes. We think about services (at TCP) as being on a standard port, but iptables operates at L3 (even though it can examine higher layers). So, if the packet in question is a return packet from an HTTP server to a client, then as far as iptables is concerned, the source port is tcp/80. : I ran "tc filter" on the command line, but received no output in : return. I read the man page and it leads me to believe that it's : not meant for viewing the filters. Depends, but yes, the "tc filter" output is not necessarily attractive. You can classify with "tc filter" instead of iptables, but if you reach your goal, it doesn't matter which mechanism you use to classify your packets. : One thing I did notice was, while I did see traffic in class 100 : for the first time, my torrent client still showed outgoing : bandwidth of more than 20kbit. Well, a typical torrent client will use a number of connections. Perhaps some of the connections are classified correctly and some are not? : Is this simply a function of the router actually limiting the : traffic and the torrent client simply not knowing? Or (and I : assume this is incorrect thinking) should the torrent client : visibly indicate to me that it can only send at X rate because : its limited? I would expect the torrent client to be reporting the actual speed(s), so I would expect it to be reporting 20kbit rates. : To make this much simpler, I will paste my tc rules and iptables : rules (which classify my traffic) at the bottom of this e-mail. I : hope you can find something (related specifically to bit torrent) : that will allow me to limit torrent traffic without the need to : limit each client by hand. You are getting there. : So I am at a total loss as to why (outgoing) SSH traffic would : become so slow, because it has access to more bandwidth than : torrent (at least in my thinking). Are you sure that it's outgoing SSH traffic that is slow? Consider the following scenario: * your outgoing queues are configured completely correctly * outgoing ssh IP packet gets into correct queue * inbound return IP packet from ssh server is delayed inbound because you are not shaping downstream traffic So, before you conclude that your shaping isn't working, I think you'll need to apply some sort of mechanisms also on your internal interface. Snipped iptables classification. Nothing looks fishy to me there (though I haven't used the iptables CLASSIFY target). : $IFext is of course eth0 (link to the modem), $QUANTUM is 1490 : (due to, if I assume correctly, my MTU being 1492, in the modem), : $MAX_RATE is 360kbit (360kbps conventional talk) I wouldn't set quantum unless you need to do so. HTB will calculate this for you. If you do need to set the quantum, I'd recommend setting it just a bit larger than the MTU...so 1500 or 1536 in your pppoe situation. Good luck, - -Martin - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFG3Vd1HEoZD1iZ+YcRAv0pAKDZ0qtpxyOkGJJQ7H5rWtFi3HlM2gCgrugd WyARMeCjVI9TD/1CcTTDAsw= =RKrP -----END PGP SIGNATURE----- From vadtec at vadtec.net Tue Sep 4 15:39:37 2007 From: vadtec at vadtec.net (Vadtec) Date: Tue Sep 4 15:39:57 2007 Subject: [LARTC] Question about how TC enforces bandwidth limiting In-Reply-To: References: <46D758ED.2030705@vadtec.net> <46DC6B58.3090604@vadtec.net> <46DD4F38.1080905@vadtec.net> Message-ID: <46DD6019.7080000@vadtec.net> Martin A. Brown wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Good morning, > > : I ran "tc filter" on the command line, but received no output in > : return. I read the man page and it leads me to believe that it's > : not meant for viewing the filters. > > Depends, but yes, the "tc filter" output is not necessarily > attractive. You can classify with "tc filter" instead of iptables, > but if you reach your goal, it doesn't matter which mechanism you > use to classify your packets. > Can you provide a simple example of how to filter with tc rather than iptables? Just enough of an idea for me to grasp it on my own. I think it would be better to use tc to do the filtering rather than iptables, as thats what tc is meant to do. > : One thing I did notice was, while I did see traffic in class 100 > : for the first time, my torrent client still showed outgoing > : bandwidth of more than 20kbit. > > Well, a typical torrent client will use a number of connections. > Perhaps some of the connections are classified correctly and some > are not? > One thing I had failed to take into account was the possibility that bit torrent *may* be using some UDP ports. In an attempt to test this theory, I added the udp filters to iptables and watched the data stream. No change. -_- Bit torrent is still showing outgoing speeds of above 20k. So, I then limitted the filter to the LAN IP for my router box and forced my torrent client to use that IP. Still above 20k. Long story short, I tried about 5 different things to get it to work properly. No luck. I think part of the problem is that my torrent client doesn't seem to honor the port ranges I put into effect. Which would definitely allow traffic to get past it. > : Is this simply a function of the router actually limiting the > : traffic and the torrent client simply not knowing? Or (and I > : assume this is incorrect thinking) should the torrent client > : visibly indicate to me that it can only send at X rate because > : its limited? > > I would expect the torrent client to be reporting the actual > speed(s), so I would expect it to be reporting 20kbit rates. > As would I. > : To make this much simpler, I will paste my tc rules and iptables > : rules (which classify my traffic) at the bottom of this e-mail. I > : hope you can find something (related specifically to bit torrent) > : that will allow me to limit torrent traffic without the need to > : limit each client by hand. > > You are getting there. > > : So I am at a total loss as to why (outgoing) SSH traffic would > : become so slow, because it has access to more bandwidth than > : torrent (at least in my thinking). > > Are you sure that it's outgoing SSH traffic that is slow? Consider > the following scenario: > > * your outgoing queues are configured completely correctly > * outgoing ssh IP packet gets into correct queue > * inbound return IP packet from ssh server is delayed inbound > because you are not shaping downstream traffic > > So, before you conclude that your shaping isn't working, I think > you'll need to apply some sort of mechanisms also on your internal > interface. > Bah, I need to figure out outgoing before I mess with incoming. I'm liable to cut my self off from the internet. :P > Snipped iptables classification. Nothing looks fishy to me there > (though I haven't used the iptables CLASSIFY target). > > : $IFext is of course eth0 (link to the modem), $QUANTUM is 1490 > : (due to, if I assume correctly, my MTU being 1492, in the modem), > : $MAX_RATE is 360kbit (360kbps conventional talk) > > I wouldn't set quantum unless you need to do so. HTB will calculate > this for you. If you do need to set the quantum, I'd recommend > setting it just a bit larger than the MTU...so 1500 or 1536 in your > pppoe situation. > Ok, quantum has always been 1512 for me, so I assume tc is taking care of it. > Good luck, > > - -Martin > > - -- > Martin A. Brown > http://linux-ip.net/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) > > iD8DBQFG3Vd1HEoZD1iZ+YcRAv0pAKDZ0qtpxyOkGJJQ7H5rWtFi3HlM2gCgrugd > WyARMeCjVI9TD/1CcTTDAsw= > =RKrP > -----END PGP SIGNATURE----- > > So, I am at a total loss as to why this isn't working. Well, not a total loss, but enough of a total loss as to disable some of the shaping I had been using that was giving me fits. I think it's much better for me to let the default class handle everything and go from there for now. As I said above, can you provide a simple example of how to filter with tc? I think filtering in tc will be both more appropriate and less hassling. I really appreciate you taking the time to help me with this. I am by no means a noob to networking, but when it comes to traffic shaping, I might as well be. Though, on a positive note, at least I've been able to properly shape some traffic, like IRC. :) (I'm also going to contact the developers of my torrent client and ask them about port range limiting. And why it doesn't seem to be working.) Thanks again, Vadtec From arman.anwar at gmail.com Tue Sep 4 19:55:17 2007 From: arman.anwar at gmail.com (Arman) Date: Tue Sep 4 19:55:29 2007 Subject: [LARTC] Re: 2 ISP connection sharing problem Message-ID: <13c1e7670709041055t4be18ac9qfa35fc8844b112a4@mail.gmail.com> Hi all, I am now testing on a simplest scenario. I have an ip 192.168.3.5 on intranet. I want to route it through ISP1. All other traffic will go through ISP2 which is default gateway on machine so I dont need to add any rule for that. I have executed following commands ---- echo 150 ISP1 >> /etc/iproute2/rt_tables ip rule add from 193.168.3.5/32 to 0.0.0.0/0 table ISP1 ip route add default via 192.168.1.1 table ISP1 ip route flush cache ---- Following is the tables state [root@localhost ~]# ip rule list 0: from all lookup local 32764: from 193.168.3.5 lookup ISP1 32765: from 193.168.3.5 lookup ISP1 32766: from all lookup main 32767: from all lookup default [root@localhost ~]# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.3.0 * 255.255.255.0 U 0 0 0 eth0 203.81.198.0 * 255.255.255.0 U 0 0 0 eth2 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 169.254.0.0 * 255.255.0.0 U 0 0 0 eth1 default 203.81.194.24 0.0.0.0 UG 0 0 0 eth2 [root@localhost ~]# ip route list table ISP1 default via 192.168.1.1 dev eth1 system is natted. I have checked for ip 192.168.3.5 but this is still from default gateway. Not going my settings. Internet is working for 192.168.3.5 but through ISP2. Will I have to do something with main table? -- Regards, Arman -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070904/a417f4eb/attachment-0001.htm From arman.anwar at gmail.com Tue Sep 4 23:21:18 2007 From: arman.anwar at gmail.com (Arman) Date: Tue Sep 4 23:21:24 2007 Subject: [LARTC] Re: 2 ISP connection sharing problem In-Reply-To: References: <13c1e7670709041055t4be18ac9qfa35fc8844b112a4@mail.gmail.com> Message-ID: <13c1e7670709041421k3c807077qde0c88dfd7b53998@mail.gmail.com> Here is my natting script -------------- IPTABLES=/sbin/iptables echo 1 > /proc/sys/net/ipv4/ip_forward $IPTABLES -F $IPTABLES -t nat -F /sbin/modprobe ip_nat_ftp INTERNAL_NETWORK="192.168.3.0/24" $IPTABLES -t nat -A POSTROUTING -s $INTERNAL_NETWORK -o eth2 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -s $INTERNAL_NETWORK -o eth1 -j MASQUERADE $IPTABLES -A INPUT -i eth0 -s $INTERNAL_NETWORK -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i eth0 -o eth2 -s $INTERNAL_NETWORK -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i eth0 -o eth1 -s $INTERNAL_NETWORK -m state --state ESTABLISHED,RELATED -j ACCEPT ------------------- On 9/5/07, Pan'ko Alexander wrote: > > On Tue, 4 Sep 2007 22:55:17 +0500 > Arman wrote: > > > Hi all, > > I am now testing on a simplest scenario. I have an ip 192.168.3.5on > > intranet. I want to route it through ISP1. All other traffic will go > through > > ISP2 which is default gateway on machine so I dont need to add any rule > for > > that. I have executed following commands > > ---- > > echo 150 ISP1 >> /etc/iproute2/rt_tables > > ip rule add from 193.168.3.5/32 to 0.0.0.0/0 table ISP1 > > ip route add default via 192.168.1.1 table ISP1 > > ip route flush cache > > ---- > > Following is the tables state > > > > [root@localhost ~]# ip rule list > > 0: from all lookup local > > 32764: from 193.168.3.5 lookup ISP1 > > 32765: from 193.168.3.5 lookup ISP1 > > 32766: from all lookup main > > 32767: from all lookup default > > > > [root@localhost ~]# route > > Kernel IP routing table > > Destination Gateway Genmask Flags Metric Ref Use > > Iface > > 192.168.3.0 * 255.255.255.0 U 0 0 0 > eth0 > > 203.81.198.0 * 255.255.255.0 U 0 0 0 > eth2 > > 192.168.1.0 * 255.255.255.0 U 0 0 0 > eth1 > > 169.254.0.0 * 255.255.0.0 U 0 0 0 > eth1 > > default 203.81.194.24 0.0.0.0 UG 0 0 0 > eth2 > > > > [root@localhost ~]# ip route list table ISP1 > > default via 192.168.1.1 dev eth1 > > > > I have very nearest configuration and it is working > > > system is natted. > > What and how is natted? > > The right is: > iptables -t nat -A POSTROUTING -s 192.168.3.5 -j MASQUERADE > > Or > iptables -t nat -A POSTROUTING -s 192.168.3.5 -j SNAT --to-source (ip of > eth1) > > > May be you have > iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -j SNAT --to-source (ip > of eth2) > It is wrong. > > Try to determin routing by tcpdump -i ethX. > > > > > I have checked for ip 192.168.3.5 but this is still from default > gateway. > > Not going my settings. Internet is working for 192.168.3.5 but through > ISP2. > > Will I have to do something with main table? > > > > -- > > Regards, > > Arman > > > > > -- > With best regards, Pan'ko Alexander. > > -- Regards, Arman Anwar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070905/b655d8ba/attachment.html From mingching.tiew at redtone.com Wed Sep 5 05:09:02 2007 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Wed Sep 5 05:09:55 2007 Subject: [LARTC] NAT-aware traffic analysis Message-ID: <00af01c7ef6a$1c8a3560$0100a8c0@MingChing> I have tried using iptraf for my NAT firewall to analyse the IP traffic. Basically I am faced with this difficulty of related the source IP to the outgoing interface to the internet, so I am wondering if anyone has a suggestion for a different ways to do it, or a suggestion for a better tool. Details :- Supposed : eth0 - LAN eth1 - WAN1 eth2 - WAN2 And then all source IPs in the LAN are SNAT to the respective WAN interface when leave for internet. There are also DNAT traffic from internet to the LAN. I want to breakdown the statistic of LAN users using the internet. If I run iptraf on eth0, I will see the LAN stats, but I don't know for sure which one really go out to which WAN ( some traffic does not even go out to the WAN at all ! ). Then when I sniff at eth1 or eth2, I lost the information about the LAN IPs. How could I do a stateful or NAT-aware traffic analysis ? Anyone has a good suggestion ? -------------------------------------------------------- Important Warning! *************************** This electronic communication (including any attached files) may contain confidential and/or legally privileged information and is only intended for the use of the person to whom it is addressed. If you are not the intended recipient, you do not have permission to read, use, disseminate, distribute, copy or retain any part of this communication or its attachments in any form. If this e-mail was sent to you by mistake, please take the time to notify the sender so that they can identify the problem and avoid any more mistakes in sending e-mail to you. The unauthorised use of information contained in this communication or its attachments may result in legal action against any person who uses it. From salim.si at cipherium.com.tw Wed Sep 5 05:36:48 2007 From: salim.si at cipherium.com.tw (Salim S I) Date: Wed Sep 5 05:37:05 2007 Subject: [LARTC] NAT-aware traffic analysis In-Reply-To: <00af01c7ef6a$1c8a3560$0100a8c0@MingChing> Message-ID: <000e01c7ef6d$fdb611f0$91021d0a@SalimSi> A different approach is to use iptables counters in FORWARD chain (-s $CLIENT_IP -i eth0 -o ! eth0). That would require a rule for each user. -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Ming-Ching Tiew Sent: Wednesday, September 05, 2007 11:09 AM To: lartc@mailman.ds9a.nl Subject: [LARTC] NAT-aware traffic analysis I have tried using iptraf for my NAT firewall to analyse the IP traffic. Basically I am faced with this difficulty of related the source IP to the outgoing interface to the internet, so I am wondering if anyone has a suggestion for a different ways to do it, or a suggestion for a better tool. Details :- Supposed : eth0 - LAN eth1 - WAN1 eth2 - WAN2 And then all source IPs in the LAN are SNAT to the respective WAN interface when leave for internet. There are also DNAT traffic from internet to the LAN. I want to breakdown the statistic of LAN users using the internet. If I run iptraf on eth0, I will see the LAN stats, but I don't know for sure which one really go out to which WAN ( some traffic does not even go out to the WAN at all ! ). Then when I sniff at eth1 or eth2, I lost the information about the LAN IPs. How could I do a stateful or NAT-aware traffic analysis ? Anyone has a good suggestion ? -------------------------------------------------------- Important Warning! *************************** This electronic communication (including any attached files) may contain confidential and/or legally privileged information and is only intended for the use of the person to whom it is addressed. If you are not the intended recipient, you do not have permission to read, use, disseminate, distribute, copy or retain any part of this communication or its attachments in any form. If this e-mail was sent to you by mistake, please take the time to notify the sender so that they can identify the problem and avoid any more mistakes in sending e-mail to you. The unauthorised use of information contained in this communication or its attachments may result in legal action against any person who uses it. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From mingching.tiew at redtone.com Wed Sep 5 06:00:46 2007 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Wed Sep 5 06:01:00 2007 Subject: [LARTC] NAT-aware traffic analysis References: <000e01c7ef6d$fdb611f0$91021d0a@SalimSi> Message-ID: <011501c7ef71$56d6f760$0100a8c0@MingChing> From: "Salim S I" > A different approach is to use iptables counters in FORWARD chain (-s > $CLIENT_IP -i eth0 -o ! eth0). That would require a rule for each user. > > Well sort of theoretically possible but bad in pratice. If I have 300 internal users, I will have to create 300 iptable rules. Then if I want to analyse based on sport or dport, you can imagine the number of rules will be quite many. Anyone has other suggestions ? From martin at linux-ip.net Wed Sep 5 06:20:46 2007 From: martin at linux-ip.net (Martin A. Brown) Date: Wed Sep 5 06:21:20 2007 Subject: [LARTC] NAT-aware traffic analysis In-Reply-To: <00af01c7ef6a$1c8a3560$0100a8c0@MingChing> References: <00af01c7ef6a$1c8a3560$0100a8c0@MingChing> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, : I have tried using iptraf for my NAT firewall to analyse the IP : traffic. Basically I am faced with this difficulty of related the : source IP to the outgoing interface to the internet, so I am : wondering if anyone has a suggestion for a different ways to do : it, or a suggestion for a better tool. I don't know of a flow analysis tool that records internal and external addresses at the NAT boundary. Without knowing how you separate your traffic outbound, it'd be hard for us to guess what the shortcomings of any of these solutions might be, but here are a few ideas: * Record the state of /proc/net/ip_conntrack and your flow information snapshots at exactly the same time. Use the ip_conntrack state information (programmatically) to yield the answers you want about usage information. * Use a flow analysis tool (e.g., argus) to record the flow information on your internal interface. Since you built the rules for distributing traffic and selecting the path for outbound flows, you should be able to map this same logic onto your recorded flows. In short, I think you may have better luck approaching the problem as a flow-analysis problem than a statistical summarization of traffic on any specific interface. Good luck, - -Martin - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFG3i65HEoZD1iZ+YcRAkqiAJ4rp7p3Sg+b4i0PYvpXRlHZtrm/ogCfe52L 00fFE3OOeNHP8QIiTRuB9LM= =Egrt -----END PGP SIGNATURE----- From mitnlag at yandex.ru Wed Sep 5 15:30:36 2007 From: mitnlag at yandex.ru (=?windows-1251?B?wujy4Ovo6SDW9e7i8OXh7uI=?=) Date: Wed Sep 5 15:31:00 2007 Subject: [LARTC] billing-counting Message-ID: <633532758.20070905173036@yandex.ru> Hello, people. May be i'm offtop, but: how to count traffic from every ip of local network, masqueraded by iptables? like squid log or into mysql tables... Regards, Vitaliy. From gui at maniacs.com.br Wed Sep 5 15:45:11 2007 From: gui at maniacs.com.br (Guilherme de Freitas Figueiredo) Date: Wed Sep 5 15:45:18 2007 Subject: [LARTC] billing-counting In-Reply-To: <633532758.20070905173036@yandex.ru> References: <633532758.20070905173036@yandex.ru> Message-ID: <9c48850e0709050645p564e7d2cm7403db7bc6c00fae@mail.gmail.com> hi! try to bandwidthd or ipac-ng cya! 2007/9/5, ??????? ????????? : > > Hello, people. May be i'm offtop, but: > > how to count traffic from every ip of local network, masqueraded by > iptables? like squid log or into mysql tables... > > Regards, Vitaliy. > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- []s! -- Guilherme de Freitas Figueiredo - gui@maniacs.com.br - http://gui.maniacs.com.br -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070905/83aa6cc1/attachment.htm From vadtec at vadtec.net Thu Sep 6 03:13:48 2007 From: vadtec at vadtec.net (Vadtec) Date: Thu Sep 6 03:14:00 2007 Subject: [LARTC] Question about how TC enforces bandwidth limiting In-Reply-To: References: <46D758ED.2030705@vadtec.net> <46DC6B58.3090604@vadtec.net> <46DD4F38.1080905@vadtec.net> Message-ID: <46DF544C.6070501@vadtec.net> After another two days of trying to get this to work like I think it should, I've still hit a brick wall. As I am at a total loss as to what's going on, I am providing my shell script that I use to setup my tc rules. You will notice a big section that is commented out. Those are rules I have been using that (for all intents and purposes) for like I expect. I adapted my section based on the example I found at http://lartc.org/howto/lartc.cookbook.ultimate-tc.html section 15.8.3 #!/bin/sh IFext='eth0' IFint='eth1' rc_done=" done" rc_failed=" failed" MAX_RATE='360kbit' MAX_RATEA='360' INGRESS_RATE='1400kbit' return=$rc_done TC='/sbin/tc' tc_reset () { # Reset everything to a known state (cleared) $TC qdisc del dev $IFext root 2> /dev/null > /dev/null } tc_status () { echo "[qdisc - $IFext]" $TC -s qdisc show dev $IFext echo "------------------------" echo echo "[class - $IFext]" $TC -s class show dev $IFext } tc_showfilter () { echo "[filter - $IFext]" $TC -s filter show dev $IFext } case "$1" in start) echo -n "Starting traffic shaping" tc_reset # U320="$TC filter add dev $IFext protocol ip parent 1:0 prio 0 u32" $TC qdisc del dev eth0 root $TC qdisc del dev eth0 ingress # uplink # dev eth0 $TC qdisc add dev $IFext root handle 1: htb default 20 $TC class add dev $IFext parent 1: classid 1:1 htb rate $MAX_RATE burst 6k $TC class add dev $IFext parent 1:1 classid 1:10 htb rate 240kbit ceil $MAX_RATE burst 6k prio 1 $TC class add dev $IFext parent 1:1 classid 1:20 htb rate 200kbit ceil $[9*$MAX_RATEA/10]kbit burst 6k prio 2 $TC qdisc add dev $IFext parent 1:10 handle 10: sfq perturb 5 $TC qdisc add dev $IFext parent 1:20 handle 20: sfq perturb 5 $TC filter add dev $IFext parent 1:0 protocol ip prio 10 u32 match ip tos 0x10 0xff flowid 1:10 $TC filter add dev $IFext parent 1:0 protocol ip u32 match ip protocol 1 0xff flowid 1:10 $TC filter add dev $IFext parent 1: protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 3 flowid 1:10 # downlink # dev eth0 tc qdisc add dev $IFext handle ffff: ingress $TC filter add dev $IFext parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate $INGRESS_RATE burst 10k drop flowid :1 # # dev eth0 - creating qdiscs & classes # #$TC qdisc add dev $IFext root handle 1: htb default 90 #$TC class add dev $IFext parent 1: classid 1:1 htb rate $MAX_RATE #$TC class add dev $IFext parent 1:1 classid 1:10 htb rate 240kbit ceil $MAX_RATE prio 0 #$TC class add dev $IFext parent 1:1 classid 1:20 htb rate 192kbit ceil $MAX_RATE prio 1 #$TC class add dev $IFext parent 1:1 classid 1:30 htb rate 80kbit ceil $MAX_RATE prio 2 #$TC class add dev $IFext parent 1:1 classid 1:40 htb rate 64kbit ceil $MAX_RATE prio 3 #$TC class add dev $IFext parent 1:1 classid 1:50 htb rate 32kbit ceil $MAX_RATE prio 4 #$TC class add dev $IFext parent 1:1 classid 1:60 htb rate 20kbit ceil $MAX_RATE prio 5 #$TC class add dev $IFext parent 1:1 classid 1:70 htb rate 16kbit ceil $MAX_RATE prio 6 #$TC class add dev $IFext parent 1:1 classid 1:80 htb rate 8kbit ceil $MAX_RATE prio 7 #$TC class add dev $IFext parent 1:1 classid 1:90 htb rate 2kbit ceil $MAX_RATE prio 8 #$TC class add dev $IFext parent 1:1 classid 1:100 htb rate 2kbit ceil 20kbit prio 9 #$TC qdisc add dev $IFext parent 1:10 handle 10: sfq perturb 10 #$TC qdisc add dev $IFext parent 1:20 handle 20: sfq perturb 10 #$TC qdisc add dev $IFext parent 1:30 handle 30: sfq perturb 10 #$TC qdisc add dev $IFext parent 1:40 handle 40: sfq perturb 10 #$TC qdisc add dev $IFext parent 1:50 handle 50: sfq perturb 10 #$TC qdisc add dev $IFext parent 1:60 handle 60: sfq perturb 10 #$TC qdisc add dev $IFext parent 1:70 handle 70: sfq perturb 10 #$TC qdisc add dev $IFext parent 1:80 handle 80: sfq perturb 10 #$TC qdisc add dev $IFext parent 1:90 handle 90: sfq perturb 10 #$TC qdisc add dev $IFext parent 1:100 handle 100: sfq perturb 10 tc_status ;; stop) echo -n "Stopping traffic shaper" tc_reset || return=$rc_failed echo -e "$return" ;; restart|reload) $0 stop $0 start || return=$rc_failed ;; stats|status) tc_status ;; filter) tc_showfilter ;; *) echo "Usage: $0 {start|stop|restart|stats|filter}" exit 1 esac test "$return" = "$rc_done" || exit 1 Regardless of the values I use for any of the rates, I still have the same problem. I do not classify ANY traffic with iptables for this set of tc filters, so any traffic that is generated is solely shaped by tc in this case. The problem I have is this, whenever I allow any torrent client to use above 20k of outgoing bandwidth, *everything* becomes laggy for some reason. Most notable is SSH. While I have no accurate way to time the lag, as near as I can tell it lags about 2 seconds. When I press a key on my keyboard it takes ~2 seconds to show up in the SSH client. Or, if I enter lets say "ls" and press enter, it takes roughly 2 seconds for the ls output to reach me, and while its being displayed, its choppy appearing (as in it comes in chunks rather than a nice stream). I see absolutely no reason for this to be happening. Why should anything lag when I'm using more outgoing bandwidth? Why would more outgoing bandwidth cause a slow down on incoming bandwidth. Or, why would more outgoing bandwidth slow down the filters/tc? I've verified that this happens on more than just my modem. I've used two different routers and a cable modem. All suffer from the same symptoms. For the record, my router PC is built as such: CentOS 5 64bit AMD Sempron 2800+ (64bit, 1.6Ghz) 2GB of DDR 2GB of swap As you can see, this PC is more than capable of acting as my router. I would greatly appreciate any input as to why this torrent problem keeps poping up. As near as I can tell, it doesn't happen during FTP upload or any other sort of intensive upload action. Thanks, Vadtec From martin at linux-ip.net Thu Sep 6 04:47:32 2007 From: martin at linux-ip.net (Martin A. Brown) Date: Thu Sep 6 04:48:07 2007 Subject: [LARTC] Question about how TC enforces bandwidth limiting In-Reply-To: <46DF544C.6070501@vadtec.net> References: <46D758ED.2030705@vadtec.net> <46DC6B58.3090604@vadtec.net> <46DD4F38.1080905@vadtec.net> <46DF544C.6070501@vadtec.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings again Vadtec, : After another two days of trying to get this to work like I think : it should, I've still hit a brick wall. This can be frustrating, I know. [ snip ] (I admit, I didn't look at the rules very closely, but fundamentally the rules themselves look good.) You do use an ingress filter with a policer. Since the policer applies equally to all inbound traffic flows, it doesn't really do you any good here. : Regardless of the values I use for any of the rates, I still have : the same problem. I do not classify ANY traffic with iptables for : this set of tc filters, so any traffic that is generated is : solely shaped by tc in this case. : : The problem I have is this, whenever I allow any torrent client : to use above 20k of outgoing bandwidth, *everything* becomes : laggy for some reason. Most notable is SSH. While I have no : accurate way to time the lag, as near as I can tell it lags about : 2 seconds. When I press a key on my keyboard it takes ~2 seconds : to show up in the SSH client. Or, if I enter lets say "ls" and : press enter, it takes roughly 2 seconds for the ls output to : reach me, and while its being displayed, its choppy appearing (as : in it comes in chunks rather than a nice stream). : : I see absolutely no reason for this to be happening. Why should : anything lag when I'm using more outgoing bandwidth? Why would : more outgoing bandwidth cause a slow down on incoming bandwidth. : Or, why would more outgoing bandwidth slow down the filters/tc? : I've verified that this happens on more than just my modem. I've : used two different routers and a cable modem. All suffer from the : same symptoms. You are neglecting one important consideration, and that is the download traffic. You may well be shaping the upstream traffic, but the queues transmitting downstream are also full. So, once again--I'd suggest that you consider what it takes for your "ls" keystrokes and then the output to make it back to you. * you press a key ("l"), your ssh client transmits a packet * this packet goes across your congested link (probably significantly delayed, because there's congestion here) * the packet arrives on the ultimate destination * the sshd on the remote side receives the packet, passes it to the application layer (blah blah, bash, fork, exec, ls) * the sshd receives data from the application layer and transmits a packet * your traffic control structures take this inbound ssh packet and give it its dedicated slot (however you have built your queues) * packet returns quickly to your system So, your shaping is great, but you aren't shaping all of the paths through which your application flow must pass. : For the record, my router PC is built as such: : CentOS 5 64bit : AMD Sempron 2800+ (64bit, 1.6Ghz) : 2GB of DDR : 2GB of swap : : As you can see, this PC is more than capable of acting as my router. And then some. Very reasonable looking box. Good luck, - -Martin - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFG32pfHEoZD1iZ+YcRAp8DAKDDb7eO6/cNZp+lLg8tyO07QffzuQCfcTA3 DnHkDHC/Ea09qNsuEBhi+vs= =VBjg -----END PGP SIGNATURE----- From vadtec at vadtec.net Thu Sep 6 05:04:46 2007 From: vadtec at vadtec.net (Vadtec) Date: Thu Sep 6 05:05:00 2007 Subject: [LARTC] Question about how TC enforces bandwidth limiting In-Reply-To: References: <46D758ED.2030705@vadtec.net> <46DC6B58.3090604@vadtec.net> <46DD4F38.1080905@vadtec.net> <46DF544C.6070501@vadtec.net> Message-ID: <46DF6E4E.3050504@vadtec.net> Martin A. Brown wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Greetings again Vadtec, > > : After another two days of trying to get this to work like I think > : it should, I've still hit a brick wall. > > This can be frustrating, I know. > > [ snip ] (I admit, I didn't look at the rules very closely, but > fundamentally the rules themselves look good.) > > You do use an ingress filter with a policer. Since the policer > applies equally to all inbound traffic flows, it doesn't really do > you any good here. > > : Regardless of the values I use for any of the rates, I still have > : the same problem. I do not classify ANY traffic with iptables for > : this set of tc filters, so any traffic that is generated is > : solely shaped by tc in this case. > : > : The problem I have is this, whenever I allow any torrent client > : to use above 20k of outgoing bandwidth, *everything* becomes > : laggy for some reason. Most notable is SSH. While I have no > : accurate way to time the lag, as near as I can tell it lags about > : 2 seconds. When I press a key on my keyboard it takes ~2 seconds > : to show up in the SSH client. Or, if I enter lets say "ls" and > : press enter, it takes roughly 2 seconds for the ls output to > : reach me, and while its being displayed, its choppy appearing (as > : in it comes in chunks rather than a nice stream). > : > : I see absolutely no reason for this to be happening. Why should > : anything lag when I'm using more outgoing bandwidth? Why would > : more outgoing bandwidth cause a slow down on incoming bandwidth. > : Or, why would more outgoing bandwidth slow down the filters/tc? > : I've verified that this happens on more than just my modem. I've > : used two different routers and a cable modem. All suffer from the > : same symptoms. > > You are neglecting one important consideration, and that is the > download traffic. You may well be shaping the upstream traffic, but > the queues transmitting downstream are also full. > > So, once again--I'd suggest that you consider what it takes for your > "ls" keystrokes and then the output to make it back to you. > > * you press a key ("l"), your ssh client transmits a packet > * this packet goes across your congested link (probably > significantly delayed, because there's congestion here) > * the packet arrives on the ultimate destination > * the sshd on the remote side receives the packet, passes it to > the application layer (blah blah, bash, fork, exec, ls) > * the sshd receives data from the application layer and transmits > a packet > * your traffic control structures take this inbound ssh packet and > give it its dedicated slot (however you have built your queues) > * packet returns quickly to your system > > So, your shaping is great, but you aren't shaping all of the > paths through which your application flow must pass. > Ok, so answer me this: Does tc use the same general queue for egress and ingress traffic? Or is it a matter of tc just using a default ingress filter that is filling for some reason? Either way, it still doesn't explain why everything starts to lag as soon as one applications outgoing bandwidth climbs anything above 20.5k (I tested to see when the break was). If the ingress queue works just fine at 20k, why does it not work just fine at >21k? That's my central issue. If I can figure that out, I can most likely filter differently to insure proper performance is maintained. > : For the record, my router PC is built as such: > : CentOS 5 64bit > : AMD Sempron 2800+ (64bit, 1.6Ghz) > : 2GB of DDR > : 2GB of swap > : > : As you can see, this PC is more than capable of acting as my router. > > And then some. Very reasonable looking box. > > Good luck, > > - -Martin > > - -- > Martin A. Brown > http://linux-ip.net/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) > > iD8DBQFG32pfHEoZD1iZ+YcRAp8DAKDDb7eO6/cNZp+lLg8tyO07QffzuQCfcTA3 > DnHkDHC/Ea09qNsuEBhi+vs= > =VBjg > -----END PGP SIGNATURE----- > > Thanks for the input Martin. I really do appreciate the time you have taken with trying to help me. In an effort to make this work better, I am currently working on setting up both egress and ingress qdiscs. (You're e-mail prompted me to take a break. :P) For the sake of simplicity, I am going to setup my ingress qdiscs (practically) the same way as I do my egress filters (even though they may not get used, I will still set them up for the time being just in case I need them). Then, using fw marking, I'm going to filter using iptables on both egress and ingress (though to be honest I really have no idea how I'm going to do the ingress filtering and get it back to the right place, though I assume it will take care of it self, just like egress). Maybe once I do this I will start to see improvements. You can expect that in a few days I will post again when I have exhausted all my (misguided or otherwise) ideas about how to make this work. Thanks again, Vadtec From vadtec at vadtec.net Thu Sep 6 06:08:33 2007 From: vadtec at vadtec.net (Vadtec) Date: Thu Sep 6 06:08:48 2007 Subject: [LARTC] Question about how TC enforces bandwidth limiting In-Reply-To: References: <46D758ED.2030705@vadtec.net> <46DC6B58.3090604@vadtec.net> <46DD4F38.1080905@vadtec.net> <46DF544C.6070501@vadtec.net> Message-ID: <46DF7D41.40907@vadtec.net> Ok, I'm almost to tearing my hair out now... I am trying to do more proper ingress policing as Martin has said I do. But every tutorial or example I have seen on traffic shaping with tc says very little (if anything at all) about ingress policing. I have tried a few methods to get this to work including: adding qdiscs to it (failed), adding filters that would give it a FWMARK to classify with (failed), adding HTBs to it (failed). I finally gave up and just routed all the ingress to the same root as I have no idea what the heck I'm doing. Can someone please provide me with an example of how to split ingress policing so that I can achieve what Martin is saying I need to achieve? Vadtec From marco.casaroli at gmail.com Thu Sep 6 07:42:48 2007 From: marco.casaroli at gmail.com (Marco Aurelio) Date: Thu Sep 6 07:42:58 2007 Subject: [LARTC] NAT-aware traffic analysis In-Reply-To: References: <00af01c7ef6a$1c8a3560$0100a8c0@MingChing> Message-ID: <92ed523b0709052242w11967240x1b07cddf272e53a7@mail.gmail.com> If you use IFB or IMQ you can shape the outgoing WAN traffic before NAT On 9/5/07, Martin A. Brown wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Greetings, > > : I have tried using iptraf for my NAT firewall to analyse the IP > : traffic. Basically I am faced with this difficulty of related the > : source IP to the outgoing interface to the internet, so I am > : wondering if anyone has a suggestion for a different ways to do > : it, or a suggestion for a better tool. > > I don't know of a flow analysis tool that records internal and > external addresses at the NAT boundary. Without knowing how you > separate your traffic outbound, it'd be hard for us to guess what > the shortcomings of any of these solutions might be, but here are a > few ideas: > > * Record the state of /proc/net/ip_conntrack and your flow > information snapshots at exactly the same time. Use the > ip_conntrack state information (programmatically) to yield > the answers you want about usage information. > > * Use a flow analysis tool (e.g., argus) to record the flow > information on your internal interface. Since you built the > rules for distributing traffic and selecting the path for > outbound flows, you should be able to map this same logic onto > your recorded flows. > > In short, I think you may have better luck approaching the problem > as a flow-analysis problem than a statistical summarization of > traffic on any specific interface. > > Good luck, > > - -Martin > > - -- > Martin A. Brown > http://linux-ip.net/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) > > iD8DBQFG3i65HEoZD1iZ+YcRAkqiAJ4rp7p3Sg+b4i0PYvpXRlHZtrm/ogCfe52L > 00fFE3OOeNHP8QIiTRuB9LM= > =Egrt > -----END PGP SIGNATURE----- > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Marco Casaroli SapucaiNet Telecom +55 35 34712377 ext. 5 From mingching.tiew at redtone.com Thu Sep 6 07:56:32 2007 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Thu Sep 6 07:56:40 2007 Subject: [LARTC] NAT-aware traffic analysis References: <00af01c7ef6a$1c8a3560$0100a8c0@MingChing> <92ed523b0709052242w11967240x1b07cddf272e53a7@mail.gmail.com> Message-ID: <00f701c7f04a$ad1d1940$0100a8c0@MingChing> From: "Marco Aurelio" > If you use IFB or IMQ you can shape the outgoing WAN traffic before NAT > I am not sure if I understand this reply or the reply seems to me, is not replying to my original question. I am asking how to collect statistics about LAN users with respect to their WAN usage, with LAN IP as the breakdown. I am not asking how to do traffic shaping. And may I know how does IMQ help that ? Actually with more thought given to the problem, I think I am quite inclined to using iptables ULOG. But ULOG solution has a few things need mentioning :- 1. Might be very heavy on system loading. Hope people can clarify if it is a real concern. And anyone has experience using ULOG 2.x ? Will 2.x be more friendly to system loading compared to 1.x ? 2. Logging goes into either file or database. It's to be a offline monitoring mechanism. Is there a way to use ULOG for online monitoring ? 3. Next, each ULOG is only specifying one side of the traffic. eg :- iptables -A FORWARD -i eth0 -o eth1 -j ULOG ..... I will need another iptables rule to specify the returning traffic, eg :- iptables -A FORWARD -i eth1 -o eth0 -j ULOG ..... Combining two independent logs as one connection will still be a challenge. Hope to see more suggestions and discussion. Thank you. From vadtec at vadtec.net Thu Sep 6 19:43:03 2007 From: vadtec at vadtec.net (Vadtec) Date: Thu Sep 6 19:43:20 2007 Subject: [LARTC] Question about how TC enforces bandwidth limiting Message-ID: <46E03C27.3010104@vadtec.net> Ok, I messed around with 6 different setups over 10 hours yesterday. The only one I can get to work properly is my original one. So, now I'm to the theory stage of trying to figure this out. I got a reply from a mailing list user saying I need to do egress filtering in two places. While I could not understand what they were saying very well, it did leave me to ponder this theory. It seems to me the whole problem has been how I am handling ingress traffic on eth0 (WAN interface). As it stands, I do rate limit it and will drop if its coming in to fast. But is there anything thats stopping me from routing ingress traffic through the egress queues on its way to the LAN? Or will that seriously break traffic shaping? Is what I'm thinking is, the ingress qdisc doesn't really control anything. So, if I were to route it (say with an iptables rule) to an egress qdisc on eth1, I could truly control ingress traffic. I really don't think this will work as it seems like I am quashing all the traffic down one side of what should be a two sided link. While I cannot think of a way to visualize this with ASCII art, I can summarize the ingress and egress pathways in linear format, as such: Egress (LAN to Internet) --------> LAN traffic ---> eth1 (egress) ---> eth0 (egress) ---> WAN ------------------------------------------ | | | | | | | Ingress (Internet to LAN) | --------LAN <--- eth1 (ingress) <--- eth0 (egress to eth1 ingress) <--- eth0 (ingress) <--- WAN traffic <-------- or Egress (LAN to Internet) --------> LAN traffic ---> eth1 (egress) ---> eth0 (egress) ---> WAN ------------------------------------------ | | | | | | | Ingress (Internet to LAN) | --------LAN <--- eth1 (egress) <--- eth0 (ingress to eth1 ingress) <--- eth0 (ingress) <--- WAN traffic <-------- I hate to be so pessimistic. But so far all I've gotten is everyone saying "You need to filter ingress traffic" with no real or concrete examples of how to do such a thing. And the LARTC How To doesn't describe it very well either. It's like ingress filtering is just not done, and those that do it are using such complicated methods that it's not worth sharing them. So, unless someone can provide me with a concrete example of true ingress filtering, or how to filter ingress on the LAN side or WAN side or whichever side I need to filter it on, I am completely stuck. Vadtec From david_list at boreham.org Thu Sep 6 19:57:40 2007 From: david_list at boreham.org (David Boreham) Date: Thu Sep 6 19:56:07 2007 Subject: [LARTC] Question about how TC enforces bandwidth limiting In-Reply-To: <46E03C27.3010104@vadtec.net> References: <46E03C27.3010104@vadtec.net> Message-ID: <46E03F94.5060804@boreham.org> The advice you received is pretty good. Avoid ingress shaping at all costs, and you don't need it anyway for your situation. Use egress shaping on both your internal and external interfaces. Traffic coming IN to your network gets shaped as egress traffic on the LAN interface. Traffic going OUT from your network gets shaped as egress traffic on the WAN interface. So all shaping is egress, but you're able to shape in both directions by always delaying packets as they are SENT by your router. Think of it this way : all you can really do is delay sending packets (or ultimately drop them which is the same as infinitely delaying). Packets arrive when they arrive, you have no control over that. This is why shaping has to be done on egress traffic -- it's the only lever you have to pull on. From marco.casaroli at gmail.com Thu Sep 6 20:20:33 2007 From: marco.casaroli at gmail.com (Marco Aurelio) Date: Thu Sep 6 20:20:39 2007 Subject: [LARTC] NAT-aware traffic analysis In-Reply-To: <00f701c7f04a$ad1d1940$0100a8c0@MingChing> References: <00af01c7ef6a$1c8a3560$0100a8c0@MingChing> <92ed523b0709052242w11967240x1b07cddf272e53a7@mail.gmail.com> <00f701c7f04a$ad1d1940$0100a8c0@MingChing> Message-ID: <92ed523b0709061120x1f520b18sdc659362366296a2@mail.gmail.com> Sorry if didn't reply you as expected Currently I use iptables to monitor how many bytes and packets each client has transmitted: Each client has an ACCEPT rule that matches their IP and MAC address I can see the byte and packet counters with iptables -L -n -v then, I use a script to parse this output and feed the apropriate RRD. Previously, I used to parse the output of tc -s class ls dev ifb0 which gave me almost the same result On 9/6/07, Ming-Ching Tiew wrote: > > From: "Marco Aurelio" > > > If you use IFB or IMQ you can shape the outgoing WAN traffic before NAT > > > > I am not sure if I understand this reply or the reply seems to me, > is not replying to my original question. > > I am asking how to collect statistics about LAN users with respect > to their WAN usage, with LAN IP as the breakdown. > > I am not asking how to do traffic shaping. And may I know how > does IMQ help that ? > > Actually with more thought given to the problem, I think I am > quite inclined to using iptables ULOG. But ULOG solution > has a few things need mentioning :- > > 1. Might be very heavy on system loading. Hope people can > clarify if it is a real concern. And anyone has experience using > ULOG 2.x ? Will 2.x be more friendly to system loading > compared to 1.x ? > > 2. Logging goes into either file or database. It's to be a offline > monitoring mechanism. Is there a way to use ULOG for online > monitoring ? > > 3. Next, each ULOG is only specifying one side of the traffic. eg :- > > iptables -A FORWARD -i eth0 -o eth1 -j ULOG ..... > > I will need another iptables rule to specify the returning traffic, eg > :- > > iptables -A FORWARD -i eth1 -o eth0 -j ULOG ..... > > Combining two independent logs as one connection will still be a > challenge. > > Hope to see more suggestions and discussion. > Thank you. > > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Marco Casaroli SapucaiNet Telecom +55 35 34712377 ext. 5 From vadtec at vadtec.net Thu Sep 6 20:43:54 2007 From: vadtec at vadtec.net (Vadtec) Date: Thu Sep 6 20:44:07 2007 Subject: [LARTC] Question about how TC enforces bandwidth limiting In-Reply-To: <46E03F94.5060804@boreham.org> References: <46E03C27.3010104@vadtec.net> <46E03F94.5060804@boreham.org> Message-ID: <46E04A6A.5000707@vadtec.net> David Boreham wrote: > The advice you received is pretty good. > Avoid ingress shaping at all costs, and > you don't need it anyway for your situation. > > Use egress shaping on both your internal and > external interfaces. > Traffic coming IN to your network gets shaped > as egress traffic on the LAN interface. > Traffic going OUT from your network gets > shaped as egress traffic on the WAN interface. > So all shaping is egress, but you're able to > shape in both directions by always delaying > packets as they are SENT by your router. > > Think of it this way : all you can really do is > delay sending packets (or ultimately drop them > which is the same as infinitely delaying). > Packets arrive when they arrive, you have no > control over that. This is why shaping has to be > done on egress traffic -- it's the only lever you have > to pull on. > > > Thank you! This is the first explanation that has actually made sense to me. Before I had a vague idea of what was being said. I do have one question though. On the egress shaping on eth1 (LAN interface), when using iptables I should do everything in the POSTROUTING chain correct? That way it gets routed to the proper LAN node and still gets shaped, correct? If thats the case, I can have a setup working in no time (I hope). Many thanks, Vadtec From david_list at boreham.org Thu Sep 6 21:32:43 2007 From: david_list at boreham.org (David Boreham) Date: Thu Sep 6 21:32:46 2007 Subject: [LARTC] Question about how TC enforces bandwidth limiting In-Reply-To: <46E04A6A.5000707@vadtec.net> References: <46E03C27.3010104@vadtec.net> <46E03F94.5060804@boreham.org> <46E04A6A.5000707@vadtec.net> Message-ID: <46E055DB.3080408@boreham.org> > > > I do have one question though. On the egress shaping on eth1 (LAN > interface), when using iptables I should do everything in the > POSTROUTING chain correct? That way it gets routed to the proper LAN > node and still gets shaped, correct? If thats the case, I can have a > setup working in no time (I hope). Well now it's my turn to be confused ! What's the connection between iptables and your traffic shaping setup ? Are you marking packets for shaping, something like that ? If so I have no idea. My routing and shaping are completely separate and unrelated in any way (I use tc filter to classify packets). From vadtec at vadtec.net Thu Sep 6 22:09:18 2007 From: vadtec at vadtec.net (Vadtec) Date: Thu Sep 6 22:09:38 2007 Subject: [LARTC] Question about how TC enforces bandwidth limiting In-Reply-To: <46E055DB.3080408@boreham.org> References: <46E03C27.3010104@vadtec.net> <46E03F94.5060804@boreham.org> <46E04A6A.5000707@vadtec.net> <46E055DB.3080408@boreham.org> Message-ID: <46E05E6E.5030300@vadtec.net> David Boreham wrote: > >> >> >> I do have one question though. On the egress shaping on eth1 (LAN >> interface), when using iptables I should do everything in the >> POSTROUTING chain correct? That way it gets routed to the proper LAN >> node and still gets shaped, correct? If thats the case, I can have a >> setup working in no time (I hope). > Well now it's my turn to be confused ! What's the connection between > iptables and your traffic shaping setup ? Are you marking packets for > shaping, something like that ? If so I have no idea. My routing and > shaping are completely separate and unrelated in any way (I use > tc filter to classify packets). > > > iptables (I forget what version onward supports this) has the ability to classify packets that it routes via -j CLASSIFY --set-class X:Y. For all intents and purposes, this is the same as -j MARK --set-mark X. Basically, it allows a user to use iptables to do the actual classification of the packet. For an example, take a look at: http://lartc.org/howto/lartc.cookbook.fullnat.intro.html, http://www.stanford.edu/~fenn/linux/ (this is the tutorial I base my iptables and tc rules on) I am not familiar enough with tc filter syntax to brave it yet. Hence my use of iptables to classify packets, which I think is much easier anyways. I was simply asking whether I would classify the packets in PREROUTING, OUTPUT, or POSTROUTING. I assume OUTPUT or POSTROUTING will let me achieve my goals with respect to egress on eth1. Guess it's time to enter my dark age of tc+iptables. :P Sorry if I confused you with my question. It's the only way I know how to traffic shape (so far). Vadtec From lists at andyfurniss.entadsl.com Thu Sep 6 22:09:45 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Thu Sep 6 22:09:52 2007 Subject: [LARTC] Question about how TC enforces bandwidth limiting In-Reply-To: <46DF544C.6070501@vadtec.net> References: <46D758ED.2030705@vadtec.net> <46DC6B58.3090604@vadtec.net> <46DD4F38.1080905@vadtec.net> <46DF544C.6070501@vadtec.net> Message-ID: <46E05E89.9020902@andyfurniss.entadsl.com> Vadtec wrote: > MAX_RATE='360kbit' > MAX_RATEA='360' > INGRESS_RATE='1400kbit' If you actuakky sync at 1.5/384kbit these are far too close as DSL sync rates are at atm level. It is possible to patch kernel/tc to make things work properly, but for testing try 1000/300kbit. > $TC qdisc add dev $IFext root handle 1: htb default 20 using default on eth is not ideal as arp will go there - though sfq will help you a bit. Don't set perturb too low as it causes packet reordering. > $TC filter add dev $IFext parent 1: protocol ip prio 10 u32 match ip > protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 > match u8 0x10 0xff at 3 flowid 1:10 This won't work - the last "at 3" should be "at 33" General other points from some things raised in the rest of the thread - Bittorrent will use udp if the client does trackerless/dht, but it shouldn't amount to much bandwidth. The port settings are for listening and don't mean you won't use others aswell. I've noticed that if bandwidth is restriced by the bt client and your mtu is <1500 then you can get 1 large and one small packet for every chunk sent by the client - if you do your own QOS then turn off the client limiter, or you could have some nasty reordering as the small packets overtake the large ones (depending on what rules you end up using) Ingress shaping is different from egress - you have to sacrifice bandwidth to get it to work, though. I don't know why in your test latency for ssh lagged when you reached 20KB/sec upload - maybe you need to look at counters/tcpdump to be sure your client sets TOS OK. As there is a rule for ICMP you can ping somewhere to see how much lag you are getting. You are right that you can shape your ingress as egress on the LAN facing interface, but you need to make allowances for the fact you are shaping from the wrong end of the bottleneck. Until you've got egress sorted I would stick to policing ingress eth0 downto 1mbit while testing. One more possibility - if you have a multicore CPU then kernel should be set to use get time of day or jiffies as a time source for shaping not cpu/tsc. If you have gig nics then there may be other things needed - but only for traffic generated on the shaping box its self - I assume your torrent box is on a machine on the LAN? Andy. From hevercosta at gmail.com Thu Sep 6 22:56:26 2007 From: hevercosta at gmail.com (Hever C. Rocha) Date: Thu Sep 6 22:56:31 2007 Subject: [LARTC] iproute: add destination route by hostname... Message-ID: <936d0cdf0709061356w686b079fs1c8992fd1ec4cc48@mail.gmail.com> Hi all How to add a static route to a hostname with iproute2? I tried: ip route add linux.com via 192.168.1.1 I got the following reply: Error: an inet prefix is expected rather than "linux.com". With "route command" I do not have problems route add -host linux.com gw 200.214.148.140 As the iproute2 is the standard in the current linus distros, I would like to know if is possible to use the same resource ... Regards From Brasil -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070906/cb507c04/attachment.html From lists at andyfurniss.entadsl.com Thu Sep 6 23:09:52 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Thu Sep 6 23:09:51 2007 Subject: [LARTC] Classes do not receive any traffic ? In-Reply-To: <46DC12F3.6010101@poczta.fm> References: <46DC12F3.6010101@poczta.fm> Message-ID: <46E06CA0.5080507@andyfurniss.entadsl.com> bartekR wrote: > 1.Main problem. > It seems that classes on imq0 that should shape incoming traffic from > internet do not recognizes marks. Fw match don't work. U32 match works > except matching marks. The only classes that receive traffic on imq0 are > server class and user classes. Similar problem occurred on eth0(upload) > but I managed to solve this problem by using -j CLASSIFY instead -j > MARK. When I tried to fix this problem I have learned that this may be > caused by the way tc and iptables are works together.I am sure that > marks are set and IMQ target works (non zero iptables/ifconfig counters) > . I think that it is possible for u32 matches to classify traffic before > any mark is set. Unfortunately kptd is out of date so it is not certain > to me. Would somebody explain me why fwmark do not work on imq0 ? Mark should work on IMQ if set in PREROUTING mangle - so should classify, so perhaps you could work around with that. You say it didn't work on eth0 either so maybe your/your distro's kernel config is to blame here's what I get greping for mark/fw andy@noki:~$ grep -i mark /boot/config-2.6.21.1 # CONFIG_NETWORK_SECMARK is not set CONFIG_NF_CONNTRACK_MARK=y CONFIG_NETFILTER_XT_TARGET_CONNMARK=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_MATCH_CONNMARK=m CONFIG_NETFILTER_XT_MATCH_MARK=m CONFIG_BRIDGE_EBT_MARK=m CONFIG_BRIDGE_EBT_MARK_T=m CONFIG_NET_SCH_DSMARK=m CONFIG_CLS_U32_MARK=y andy@noki:~$ grep -i fw /boot/config-2.6.21.1 CONFIG_NET_CLS_FW=m CONFIG_FW_LOADER=m If your config looks OK your rules are so complex I would try something very simple like marking icmp and making a filter for that on eth/imq and seeing if it works or not. iptables counters don't tell you if you later accidently cleared the mark and -j IMQ won't jump to IMQ from that place in the script. > > 2. > I have found that when i try to ping from host in lan to host in > internet every fifth icmp packet has significantly higher delay. F.e. > four packets goes trough with delay approx 15ms but next packet have > delay up to 100ms ! I suppose that it may be caused by to big txqueuelen > so i decreased it from 1000 to 30 on all interfaces without any problems > with lesser bandwidth or packet looses. Could somebody advice proper > value for txqueuelen if it was a good idea to change it. > I have 1Mbit/256kbit DSL modem. DSl rates are hard to get right without patching tc/kernel as it uses ATM and the overheads on a packet are high and vary with size in 53byte chunks. Without patching you need to back off from the rates. To make things worse ingress shaping needs you to back off even more as you are at the wrong end of the bottleneck, so don't have total control like on egress. The slower the link the harder it is, you should use short child qdiscs on the htb bulk classes (limit parameter) and try to arrange the htb rules so that interactive classes (and don't have too many) get a rate much higher than they ever need with a higher prio than bulk. For htb prio 0 is top - for tc filters it's 1 > > 3. > Is it a good idea to set proper ToS value for a outbound traffic that > was classified as prio ?? Would it give any decrease in delays ?? I don't think it will make any difference. Andy. From lists at andyfurniss.entadsl.com Thu Sep 6 23:14:51 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Thu Sep 6 23:14:49 2007 Subject: [LARTC] About "b" meaning "byte" and bit In-Reply-To: <20070903091729.GA24496@DervishD> References: <20070831162624.GA6133@DervishD> <7ed6b0aa0709022121y660a8e35j998e3f2246817263@mail.gmail.com> <20070903091729.GA24496@DervishD> Message-ID: <46E06DCB.8000305@andyfurniss.entadsl.com> DervishD wrote: > Hi Indunil :) > > * Indunil Jayasooriya dixit: >> On 8/31/07, DervishD wrote: >>> Hi all :) >>> >>> I think that this issue has already been discussed on this list, but >>> google didn't find anything interesting, so I'm bringing the subject >>> again. >>> >>> The output of "tc" uses "b" meaning "byte" and "bit" for "bit". The >>> "official" suffixes for those units are "B" and "b", respectively, and >>> on top of this, I'm not sure if "kbit" means "kilobit" or "kibibit" in >>> "tc" output. >>> >> SEE below that was taken form this URL >> >> http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm >> >> >> Please read: tc tool (not only HTB) uses shortcuts to denote units of rate. >> kbps means kilobytes and kbit means kilobits ! This is the most FAQ about tc >> in linux. > > Yes, I already knew that, what I was asking is why SI units are not > used and "shortcuts" are used instead: see my original message, I was > not sure if kilobit was being used correctly (meaning 1000 bits) or if > it was being used mistakenly for kibibit (1024 bits), and on top of > that, why "b" was being used as byte when the SI prefix for byte is "B". It got changed so kbit means 1000 when S.Hemminger took over maintenance IIRC. > > I mean, tc doesn't seem to follow any standard except maybe in > kilobit (which should be then used as kb, not kbit). I think changing kb and kbit would break too many existing scripts. > > Ra?l N??ez de Arenas Coronado > From lists at andyfurniss.entadsl.com Thu Sep 6 23:19:08 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Thu Sep 6 23:19:01 2007 Subject: [LARTC] Can we use 2 tc filter rules with the same prio In-Reply-To: <7ed6b0aa0709030204y5bea56a4ub09cffcc9a0395e1@mail.gmail.com> References: <7ed6b0aa0709030204y5bea56a4ub09cffcc9a0395e1@mail.gmail.com> Message-ID: <46E06ECC.9070304@andyfurniss.entadsl.com> Indunil Jayasooriya wrote: > Hi ALL, > > I am using below script for DOWNLOADING. it is only for HTTP and HTTPS. > > I have given the same prio for both. (i.e prio 1). > > pls see my script given below. (last 2 lines of the script where I have > highlighted in BOLD letters) > > Can I have 2 tc filter rules with the same prio? > > What is the proper method to write? > > MY SCRIPT IS BELOW > > #traffic shaping on eth1 (Downloading) > > INTERFAZ_LAN=eth1 > FULLBANDWIDTH=256 > BANDWIDTH4LAN=64 > > > tc qdisc del root dev $INTERFAZ_LAN > > tc qdisc add dev $INTERFAZ_LAN root handle 1: htb r2q 4 > tc class add dev $INTERFAZ_LAN parent 1: classid 1:2 htb rate > "$FULLBANDWIDTH"Kbit > tc class add dev $INTERFAZ_LAN parent 1: classid 1:5 htb rate > "$BANDWIDTH4LAN"Kbit > tc qdisc add dev $INTERFAZ_LAN parent 1:5 handle 5: sfq perturb 10 > tc filter add dev $INTERFAZ_LAN parent 1: protocol ip prio 1 u32 match ip > sport 80 0xffff match ip dst 192.168.102.0/24 classid 1:5 > tc filter add dev $INTERFAZ_LAN parent 1: protocol ip prio 1 u32 match ip > sport 443 0xffff match ip dst 192.168.102.0/24 classid 1:5 > In this case they should be OK and execute in order of entry because they are the same sort of match. You can always check with tc -s filter ls dev ... Sometimes you need different prios or the rules will just not work/throw an error/work the wrong order. Andy. From lists at andyfurniss.entadsl.com Thu Sep 6 23:26:07 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Thu Sep 6 23:26:00 2007 Subject: [LARTC] HTB does not respect the prio parameter In-Reply-To: <46D54F5D.7000806@businessecurity.com> References: <46D52904.4040809@businessecurity.com> <46D53525.8080005@poczta.fm> <46D54F5D.7000806@businessecurity.com> Message-ID: <46E0706F.5000806@andyfurniss.entadsl.com> Martin Bj?rnsson wrote: > Yes, exactly. So my 1:20 class (prio 1) should get to send more than the 1:30 class. But > it doesn't, they both get about the same throughput. > > Nobody else having problems with the prio parameter? I would test without the reds. I don't think red was really meant to be put as a child of a highly variable rate class. Maybe they are dropping enough that the higher prio class isn't permanently backlogged. Andy. From lists at andyfurniss.entadsl.com Thu Sep 6 23:32:31 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Thu Sep 6 23:32:25 2007 Subject: [LARTC] Alternative section to the HOWTO... In-Reply-To: References: Message-ID: <46E071EF.5060206@andyfurniss.entadsl.com> Javier Ors wrote: > IMHO, the priomap explanation in the 9.2.1.1. of the LARTC HOWTO is not > clear enough. I only understood it's real behavior until I read this > document from Russell Stuart: > http://ace-host.stuart.id.au/russell/files/tc/doc/tc/priority.txt So, based > in this information, I've prepared an alternative priomap explanation for > this section of the HOWTO, if you like it as it is I could try to do the > modifications to the .db file. If not, just take what you want from it or > forget it... It is possibly full plenty of techical mistakes and also > linux-centered, as long as I have no idea how this goes on other operating > systems. I'm not a professional, so please don't be hard with the > criticism... > priomap > > Determines how packet priorities, as assigned by the kernel, map to bands. > > The kernel assigns a generic priority to every packet which enters or is > generated in the machine, this priority is an 8-bit integer, and higher > value means higher priority. The priomap defines how all the 16 possible > values of the linux priority are mapped to the bands. > > For example, on the command line, the default priomap looks like this; 1 2 2 > 2 1 2 0 0 1 1 1 1 1 1 1 1. This means the following mapping: > > Linux priority Default Band (priomap) > -------------- ---------------------- > 0 (Best Effort) 1 > 1 (Filler) 2 > 2 2 > 3 (Bulk) 2 > 4 (Interactive Bulk) 1 > 5 2 > 6 (Interactive) 0 > 7 0 > 8 1 > 9 1 > 10 1 > 11 1 > 12 1 > 13 1 > 14 1 > 15 1 > > Some of the linux priority values have a symbolic name, but on the table > above only five of them are shown. For IPv4 packets we will only care about > the bands assigned to those five named values. This is beacause for packets > using this protocol, the priority is assigned based on the ToS octet of the > packet, which looks like this: > > 0 1 2 3 4 5 6 7 > +-----+-----+-----+-----+-----+-----+-----+-----+ > | | | | > | PRECEDENCE | ToS | MBZ | > | | | | > +-----+-----+-----+-----+-----+-----+-----+-----+ > > The four ToS bits (the 'ToS field') are defined as: > > Binary Decimal Meaning > ----------------------------------------- > 1000 8 Minimize delay (md) > 0100 4 Maximize throughput (mt) > 0010 2 Maximize reliability (mr) > 0001 1 Minimize monetary cost (mmc) > 0000 0 Normal Service > > As the MBZ must be zero, the actual value of the ToS field is double the > value of the ToS bits. Tcpdump -v -v shows you the value of the entire ToS > field, not just the four bits. It is the value you see in the first column > of the following table, which shows how the ToS values are mapped to the > five linux priority values mentioned above: > > ToS Bits Means Linux Priority > ------------------------------------------------------ > 0x0 0 Normal Service 0 (Best Effort) > 0x2 1 Minimize Monetary Cost 1 (Filler) > 0x4 2 Maximize Reliability 0 (Best Effort) > 0x6 3 mmc+mr 0 (Best Effort) > 0x8 4 Maximize Throughput 2 (Bulk) > 0xa 5 mmc+mt 2 (Bulk) > 0xc 6 mr+mt 2 (Bulk) > 0xe 7 mmc+mr+mt 2 (Bulk) > 0x10 8 Minimize Delay 6 (Interactive) > 0x12 9 mmc+md 6 (Interactive) > 0x14 10 mr+md 6 (Interactive) > 0x16 11 mmc+mr+md 6 (Interactive) > 0x18 12 mt+md 4 (Int. Bulk) > 0x1a 13 mmc+mt+md 4 (Int. Bulk) > 0x1c 14 mr+mt+md 4 (Int. Bulk) > 0x1e 15 mmc+mr+mt+md 4 (Int. Bulk) > > This mapping is hard-coded and can not be adjusted, only the default priomap > can be changed, to clarify, the whole process for an IPv4 packet would be: > > ToS value ------mapping------> Linux Priority ------priomap ------> Band > > A few extra comments: > > - The ToS-to-Linux_Priority mapping is made at the very beggining of > the routing process, even before the packet enters in the iptables chains. > This means that changing the ToS field of the packet with iptable's "-j > TOS --set-tos" flags, will not change neither its linux priority nor > the band it will be assigned to. > - Also notice that this mapping is not one-to-one, for expample, by > only adjusting the priomap, it is impossible to assign a packet with ToS > value 0x00 (Normal Service), to a different band than a packet with ToS 0x02 > (Maximize reliability), as both values are mapped to linux priority 0 (Best > Effort). > - At the moment of writing this, the ToS octet of the IPv4 protocol > has been superseded by the Diffserv Code Point. But the default linux > priority mapping, and most common applications (ssh, ftp servers, etc...) > are still using the ToS scheme, however, this may change in the future. > I don't know if bert has time to read the list anymore, as you say LARTC hasn't been updates for ages. If mailing bert doesn't get anywhere there was talk of a QOS wiki being started on http://linux-net.osdl.org/ Andy. From lists at andyfurniss.entadsl.com Fri Sep 7 00:03:17 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Sep 7 00:03:13 2007 Subject: [LARTC] Help about a QoS configuration In-Reply-To: References: <46D483B0.2040008@andyfurniss.entadsl.com> <46D6EA14.5050106@andyfurniss.entadsl.com> Message-ID: <46E07925.6010501@andyfurniss.entadsl.com> Javier Ors wrote: >> Ahh OK embedded. There may be hope then. I know that TI AR7 based >> routers don't have a buffer beyond the device. The one I tested didn't >> have any qdiscs built in apart from TIs prio/wrr, but it did work >> without any rate limiting. > > > Then I am a lucky guy, this is mine: > http://wiki.openwrt.org/OpenWrtDocs/Hardware/D-Link/DSL-G624T > I didn't looked for it, it was just the one that the ISP gave to me with the > connection. I was quite surprised when I realized that it was ssh-accesible, > and even more when I checked that it has htb, cbq, sfq, prio, and even red > with ecn. It seems that I recieved a good machine after all. As you see they > are trying to port OpenWrt to it, if they got it maybe it'll be possible to > apply russell's patches. That's handy :-) I guess the wireless ones have a bit more room for a better kernel, the non wireless one I use only has 2meg flash and 8meg ram. > > Thanks again for all the info, luckily it's not the case, the latency is no > more penalized than 20 ms in this situation, so it's ok, no buffers. > Just a question anyway...let's suppose that we have big buffers in the > device and this penalize the latency, Would this buffers also prevent from > shaping with a simple prio? As I undertand, they shoudn't as long as any > packet gets dropped between the qdisc and the device buffers, they would > just fill up and then the queue would propagate to the qdisc, where the > packet drop and the shaping should be done. Is this not the case for all > drivers/interfaces? It could work, but if the buffers are quite big two (unscaled) tcp connections won't fill them. > > >> Yes I suppose that should be OK as long as the % wasn't too high. >> > > I have also observed this behaviour but I hardly undertand it. HTB works > well only if you set a rate some % smaller than the congestion rate, then > when you see tc -s class show, all the classes have relatively large queues > (backlogged packets), and the shaping is smooth. But if you set the rate > closer to the congestion rate (or higher) then you start to see empty > queues in the classes and/or with few backlogged packets. > I can undertand this happening in a LAN, but not in the adsl modem > interface, theoretically the interface won't dequeue packets at a higer rate > that it can send them. So the queues should form anyway in the classes > whatever high rate you set to the root class... Otherwise neither HTB nor > the prio class would work without rate limiting (like in a LAN), so I don't > understand why in this case it works for the prio but not for HTB. I can't think why that should be, I was thinking more of the P2P class being starved if the % was too high. Andy. From lartc at dervishd.net Fri Sep 7 09:34:47 2007 From: lartc at dervishd.net (DervishD) Date: Fri Sep 7 09:35:20 2007 Subject: [LARTC] About "b" meaning "byte" and bit In-Reply-To: <46E06DCB.8000305@andyfurniss.entadsl.com> References: <20070831162624.GA6133@DervishD> <7ed6b0aa0709022121y660a8e35j998e3f2246817263@mail.gmail.com> <20070903091729.GA24496@DervishD> <46E06DCB.8000305@andyfurniss.entadsl.com> Message-ID: <20070907073447.GC17688@DervishD> Hi Andy :) * Andy Furniss dixit: > DervishD wrote: > > Yes, I already knew that, what I was asking is why SI units are not > >used and "shortcuts" are used instead: see my original message, I was > >not sure if kilobit was being used correctly (meaning 1000 bits) or if > >it was being used mistakenly for kibibit (1024 bits), and on top of > >that, why "b" was being used as byte when the SI prefix for byte is "B". > > It got changed so kbit means 1000 when S.Hemminger took over maintenance > IIRC. Ok, thanks :)) > > I mean, tc doesn't seem to follow any standard except maybe in > >kilobit (which should be then used as kb, not kbit). > > I think changing kb and kbit would break too many existing scripts. That's the problem with scripts that insist blindly on parsing command output, specially with commands whose output may (and should) change regularly when improvements are made. I supposed this was the reason. Does "tc" have another interface, preferably in "sys" or "proc" or the only way of getting the information is asking the kernel directly (through "tc", for example). Thanks a lot for your answer :) Ra?l N??ez de Arenas Coronado -- Linux Registered User 88736 | http://www.dervishd.net It's my PC and I'll cry if I want to... RAmen! We are waiting for 13 Feb 2009 23:31:30 +0000 ... From justin at expertron.co.za Fri Sep 7 10:43:59 2007 From: justin at expertron.co.za (Justin Schoeman) Date: Fri Sep 7 10:44:13 2007 Subject: [LARTC] HTB does not respect the prio parameter References: 46D52904.4040809@businessecurity.com Message-ID: <46E10F4F.5030104@expertron.co.za> Is quantum not perhaps a bit high? Try setting it lower, and see what happens? -justin On 2007-08-29 08:06, Martin Bj?rnsson wrote: > Hi all, > > I'm experimenting with HTB and the prio parameter and it does not give me results I > expect. I've created 4 HTB classes: > > 1:10 TCP ACKs (prio 0) > 1:20 TCP traffic on dst port 10001 (prio 1) > 1:30 TCP traffic on dst port 10000 (prio 2) > 1:40 Default (prio 3) > > ceil and rate parameters are the same for all 4 classes (rate is 1000kbit and ceil is > 55000kbit). > > Then I start 2 TCP flows on src/dst ports 10000 and 10001. The packets seem to be > correctly classified by the filter (I get hits on classes 10, 20 and 30). > > The problem is that I get the same throughput on both TCP flows. Shouldn't I get about > 1000kbit through class 30 and much more through class 20 since it has higher priority? > > > Here's my setup script: > > #!/bin/sh > /bin/tc qdisc add dev eth0 root handle 1: htb default 40 From martin at linux-ip.net Fri Sep 7 15:45:16 2007 From: martin at linux-ip.net (Martin A. Brown) Date: Fri Sep 7 15:45:52 2007 Subject: [LARTC] iproute: add destination route by hostname... In-Reply-To: <936d0cdf0709061356w686b079fs1c8992fd1ec4cc48@mail.gmail.com> References: <936d0cdf0709061356w686b079fs1c8992fd1ec4cc48@mail.gmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings Hever, : How to add a static route to a hostname with iproute2? : : I tried: : ip route add linux.com via 192.168.1.1 : : I got the following reply: : Error: an inet prefix is expected rather than "linux.com". : : With "route command" I do not have problems : route add -host linux.com gw 200.214.148.140 : : As the iproute2 is the standard in the current linus distros, I : would like to know if is possible to use the same resource ... The iproute2 package does not understand names. If you wish to use the iproute2 tools, use the following: ip route add 66.35.250.176 via 192.168.1.1 Some regard iproute's behaviour a misfeature. Some regard route's behaviour a misfeature. - -Martin - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFG4VYHHEoZD1iZ+YcRAjC+AJ9GzND1XDuH+bE4km12sbha/+2oGACeKuAR bn1kVrMaNnpSB7+vmxsdWyk= =TNHN -----END PGP SIGNATURE----- From stefie10 at alum.mit.edu Fri Sep 7 15:48:53 2007 From: stefie10 at alum.mit.edu (Stefanie Tellex) Date: Fri Sep 7 15:49:11 2007 Subject: [LARTC] Prioritizing VOIP traffic without sacrificing throughput Message-ID: <46E156C5.1020302@alum.mit.edu> Hi, I would like to prioritize VOIP traffic when we use the phone, but other times not do traffic shaping at all. Right now I have my openwrt router set up with htb to do shaping. In order to get it to work well I had to set my upload and download speeds much lower than my line speed. With these settings, I get good VOIP reception even while surfing the net and doing a long download. However, even when I'm not using the phone, a long download is more than twice as slow than it is with shaping turned off. Is there some way to configure it to only do shaping when it detects VOIP packets, and otherwise not limit traffic? Thanks, Stefanie From vadtec at vadtec.net Fri Sep 7 16:40:51 2007 From: vadtec at vadtec.net (Vadtec) Date: Fri Sep 7 16:41:03 2007 Subject: [LARTC] tc filter syntax (and general noobness) Message-ID: <46E162F3.7010301@vadtec.net> Ok, After much research and e-mails to the list, I'm finally to the point where I have filtering setup properly. Now, I'm trying to figure out tc filter so that I can classify packets on both eth0 and eth1. So, lets take for example Samba traffic. I want to be sure that its being sent with relative speed so that my shares don't get lagged. And what the heck, its as good a place as any to start. While I understand how to get the protocol number out of the header, I am having difficulty getting the rest of the field. Mostly, it has to do with offsets and which uX to use. So, going off of what I think is correct, I have come up with this: tc filter add dev eth1 parent 2: protocol ip prio 10 u32 match ip protocol 6 match u32 0xff534d42 0xffffffff at nexthdr+23 flowid 2:50 I seriously doubt this is the proper way to match a Samba header. So my question is this. How do I identify where the offset is for a given header? I assume that (going off the LARTC How To) I can look at output from wireshark and simply count to the field I am after. (This is how I figured out that tc filter add dev ppp14 parent 1:0 prio 10 u32 match ip protocol 6 0xff match u8 0x10 0xff at nexthdr+13 flowid X:Y uses next header+13 to go from the protocol field to the ACK bit for the flags.) The thing is. When I run this rule, none of the Samba traffic is being routed to 2:50... so obviously I'm not going something right. Thanks for your help, Vadtec From nozo at ziu.info Fri Sep 7 18:17:06 2007 From: nozo at ziu.info (Michal Soltys) Date: Fri Sep 7 18:17:21 2007 Subject: [LARTC] tc filter syntax (and general noobness) In-Reply-To: <46E162F3.7010301@vadtec.net> References: <46E162F3.7010301@vadtec.net> Message-ID: <46E17982.802@ziu.info> Vadtec wrote: > > ... > protocol 6 match u32 0xff534d42 0xffffffff at nexthdr+23 flowid 2:50 > ... > Using nexthdr+ in as simple way as above won't work. U32 won't automatically adjust for the proper offset, you have to do it manually with another u32 filter, using "link" option. It's very well explained in http://ace-host.stuart.id.au/russell/files/tc/doc/cls_u32.txt As a side note - don't forget that you can simply mark the traffic in iptables and then use fwmark instead of u32 (or with u32 match mark). Other bits of not so easily to find documentation re. tc, in case you need it later in other cases: 1) In source tarball, check doc subdirectory for info about extended action syntax 2) a bit of info about basic classifiers: http://marc.info/?l=lartc&m=117569441229800&w=2 From bojleros at poczta.fm Sat Sep 8 10:06:52 2007 From: bojleros at poczta.fm (bartekR) Date: Sat Sep 8 10:07:08 2007 Subject: [LARTC] Classes do not receive any traffic ? In-Reply-To: <46E06CA0.5080507@andyfurniss.entadsl.com> References: <46DC12F3.6010101@poczta.fm> <46E06CA0.5080507@andyfurniss.entadsl.com> Message-ID: <46E2581C.5090401@poczta.fm> Andy Furniss wrote: > If your config looks OK your rules are so complex I would try something > very simple like marking icmp and making a filter for that on eth/imq > and seeing if it works or not. I have built simple script and as You wrote it worked. After this I have modified mine script by: -removing lines containing -j CONNMARK and line matching non zero mark. -changing a few returning lines in _SKYPE Now every classes receive traffic as it should and ping decreased significantly. Andy Furniss wrote: > DSl rates are hard to get right without patching tc/kernel as it uses > ATM and the overheads on a packet are high and vary with size in 53byte > chunks. Without patching you need to back off from the rates. I didn't knew that. Would You give me larger information about this ?? Andy Furniss wrote: > To make things worse ingress shaping needs you to back off even more as > you are at the wrong end of the bottleneck, so don't have total control > like on egress. The slower the link the harder it is, you should use > short child qdiscs on the htb bulk classes (limit parameter) and try to > arrange the htb rules so that interactive classes (and don't have too > many) get a rate much higher than they ever need with a higher prio than > bulk. I will try things as You mentioned. I have 3 interactive classes because of Skype and p2p. I had tried to match Skype file transfers to user classes. Unfortunately Skype connections are encrypted. Mine first idea was to mark this packet by matching tos (similar to matching tos of ssh and scp) but it failed because Skype always send packet with tos=0. Is there any other way to do that ?? Sometimes p2p puts lots of ack packets. I don't want them to interfere with low latencies needed for games. Thank You for Your help. Especially I appreciate Your will to read and understand mine first ,very long and complex post :) Bartek ---------------------------------------------------------------------- Bedac w WC czytala wiadomosci. >>> http://link.interia.pl/f1b9c From lsharpe at pacificwireless.com.au Mon Sep 10 01:55:24 2007 From: lsharpe at pacificwireless.com.au (Leigh Sharpe) Date: Mon Sep 10 01:52:46 2007 Subject: [LARTC] Prioritizing VOIP traffic without sacrificing throughput Message-ID: <96CF49BD8B56384395D698BA99007FA32C67@exchange.pacwire.local> Can you post your configs? Essentially, in order to keep the latency as low as possible, you need to make sure that you never exceed the bandwidth of the upstream link. Whilst doing this, you are able to ensure that your VOIP performance is good. If you are not throttling your bandwidth, then just re-prioritising your VOIP traffic will not help. As soon as you do a large download, your link gets saturated and the latency goes up. Once that happens, even if your router is re-prioritising the VOIP traffic, it is still latent, which means that your phone performance will suffer. By setting the upload and download speeds lower than the line speed, you ensure that the line does not get latent, and then your re-prioritising is effective. Most people seem to be of the opinion that around 80% or so of the line speed is a good rule of thumb. -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Stefanie Tellex Sent: Friday, 7 September 2007 11:49 PM To: lartc@mailman.ds9a.nl Subject: [LARTC] Prioritizing VOIP traffic without sacrificing throughput Hi, I would like to prioritize VOIP traffic when we use the phone, but other times not do traffic shaping at all. Right now I have my openwrt router set up with htb to do shaping. In order to get it to work well I had to set my upload and download speeds much lower than my line speed. With these settings, I get good VOIP reception even while surfing the net and doing a long download. However, even when I'm not using the phone, a long download is more than twice as slow than it is with shaping turned off. Is there some way to configure it to only do shaping when it detects VOIP packets, and otherwise not limit traffic? Thanks, Stefanie _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From dmiller at amfes.com Mon Sep 10 08:36:18 2007 From: dmiller at amfes.com (Daniel L. Miller) Date: Mon Sep 10 08:36:34 2007 Subject: [LARTC] OpenVPN routing Message-ID: <46E4E5E2.2070703@amfes.com> Hi! I'm trying to create a routed VPN using OpenVPN - and having trouble with the routing concepts involved. Let me see if I can properly describe my current topology: Server - LAN, with both local workstations and remote bridged workstations on the 192.168.0.0/24 network (this works without reservation). Server located at 192.168.0.71, 192.168.0.72, 192.168.0.222, and few others. Routed VPN, 172.27.0.0/16 network. Server is located at 172.27.0.1. Server can talk to clients, and clients can talk to server. My 1st goal is to allow selected server-side LAN workstations to reach the routed VPN workstations. The LAN should be invisible to the routed VPN. My 2nd goal is to allow selected server-side LAN workstations to reach networks server by routed VPN workstations as gateways [this involves OpenVPN more, I believe]. The LAN should still be invisible to the routed VPN. My server routing table is: 172.27.0.2 dev tun0 proto kernel scope link src 172.27.0.1 192.168.20.0/24 dev vmnet8 proto kernel scope link src 192.168.20.1 10.4.1.0/24 via 172.27.0.2 dev tun0 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.71 192.168.0.0/24 dev br1 proto kernel scope link src 192.168.0.72 192.168.30.0/24 dev vmnet1 proto kernel scope link src 192.168.30.1 172.27.0.0/16 via 172.27.0.2 dev tun0 default via 192.168.0.1 dev eth0 IP forwarding is enabled on all interfaces, and iptables (by way of firehol) has rules to allow all forwarding between all interfaces. If I create a 172.27.0.0/16 route on a LAN workstation, I can ping the server at 172.27.0.1. But I cannot reach any VPN workstation. At one time, by playing with some NAT rules, I was able to - but it didn't seem right. What am I missing? Daniel From alex at samad.com.au Mon Sep 10 11:05:11 2007 From: alex at samad.com.au (Alex Samad) Date: Mon Sep 10 11:05:19 2007 Subject: [LARTC] OpenVPN routing In-Reply-To: <46E4E5E2.2070703@amfes.com> References: <46E4E5E2.2070703@amfes.com> Message-ID: <20070910090511.GE6156@samad.com.au> On Sun, Sep 09, 2007 at 11:36:18PM -0700, Daniel L. Miller wrote: > Hi! > > I'm trying to create a routed VPN using OpenVPN - and having trouble with > the routing concepts involved. Let me see if I can properly describe my > current topology: > > Server - > LAN, with both local workstations and remote bridged workstations on the > 192.168.0.0/24 network (this works without reservation). > Server located at 192.168.0.71, 192.168.0.72, 192.168.0.222, and few > others. > Routed VPN, 172.27.0.0/16 network. Server is located at 172.27.0.1. > Server can talk to clients, and clients can talk to server. > > My 1st goal is to allow selected server-side LAN workstations to reach the > routed VPN workstations. The LAN should be invisible to the routed VPN. > > My 2nd goal is to allow selected server-side LAN workstations to reach > networks server by routed VPN workstations as gateways [this involves > OpenVPN more, I believe]. The LAN should still be invisible to the routed > VPN. > > My server routing table is: > 172.27.0.2 dev tun0 proto kernel scope link src 172.27.0.1 > 192.168.20.0/24 dev vmnet8 proto kernel scope link src 192.168.20.1 > 10.4.1.0/24 via 172.27.0.2 dev tun0 > 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.71 > 192.168.0.0/24 dev br1 proto kernel scope link src 192.168.0.72 > 192.168.30.0/24 dev vmnet1 proto kernel scope link src 192.168.30.1 > 172.27.0.0/16 via 172.27.0.2 dev tun0 > default via 192.168.0.1 dev eth0 I think you need to use a tap device (I currently have a similar setup, but I do not hide the LAN - infact I use openvpn to do site to site WAN) By hide the LAN you don't want to the openvpn clients to see the 192.168 addresses if that is the case this is more a iptables question you will need to nat the lan network going out, if you want in bound traffic you will need to setup natting on the way back in as well - static though. why do you want to hide the network - ? unless your server is the default gateway for the network you will have to do 1 of 2 things, either setup routing on each client or update the default gateway how to route the packet (ie via the server). Why do the client (openvpn client) not respond to pings, I would guess again routing usual problem, can you run tcpdump on these machines ? > > IP forwarding is enabled on all interfaces, and iptables (by way of > firehol) has rules to allow all forwarding between all interfaces. > > If I create a 172.27.0.0/16 route on a LAN workstation, I can ping the > server at 172.27.0.1. But I cannot reach any VPN workstation. At one > time, by playing with some NAT rules, I was able to - but it didn't seem > right. > > What am I missing? > > Daniel > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070910/985f99a2/attachment.pgp From wlodzimierz.lipert at gmail.com Mon Sep 10 11:26:38 2007 From: wlodzimierz.lipert at gmail.com (Wlodzimierz Lipert) Date: Mon Sep 10 11:26:43 2007 Subject: [LARTC] Connection freeze when downloading Message-ID: <3a33c03b0709100226p461d3d29i8aee7751f3319dca@mail.gmail.com> Hi. I have problem in following scenario: 3 routers A, B, C: router A: eth0--> DSL ( public IP ) eth1 --> 192.168.0.1 ( local network ) routing table A: 83.x.x.x/29 dev eth0 proto kernel scope link src 83.x.x.x 192.168.5.0/24 via 192.168.0.8 dev eth1 192.168.4.0/24 via 192.168.0.8 dev eth1 192.168.3.0/24 via 192.168.0.8 dev eth1 192.168.2.0/24 via 192.168.0.8 dev eth1 192.168.1.0/24 via 192.168.0.8 dev eth1 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1 127.0.0.0/8 dev lo scope link default via 83.x.x.x dev eth0 router B: eth0 --> 192.168.0.8 ( direct RJ45 connection to router A ) ath0 --> 192.168.3.1 ( wireless AP -- only for bridging with router C ). ath1 --> 192.168.1.1 ( wireless AP, for clients ) ath2 --> 192.168.2.1 ( wireless AP, for clients ) routing table B: 192.168.5.0/24 via 192.168.3.2 dev ath0 192.168.4.0/24 via 192.168.3.2 dev ath0 192.168.3.0/24 dev ath0 proto kernel scope link src 192.168.3.1 192.168.2.0/24 dev ath1 proto kernel scope link src 192.168.2.1 192.168.1.0/24 dev ath2 proto kernel scope link src 192.168.1.1 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.8 127.0.0.0/8 dev lo scope link default via 192.168.0.1 dev eth0 router C: eth0 --> 192.168.5.1 ( RJ45 connection for clients ) ath0 --> 192.168.3.2 ( wireless STATION -- bridges with router B ) ath1 --> 192.168.4.1 ( wireless AP, for clients ) routing table C: 192.168.5.0/24 dev eth0 proto kernel scope link src 192.168.5.1 192.168.4.0/24 dev ath1 proto kernel scope link src 192.168.4.1 192.168.3.0/24 dev ath0 proto kernel scope link src 192.168.3.2 192.168.0.0/24 via 192.168.3.1 dev ath0 127.0.0.0/8 dev lo scope link default via 192.168.3.1 dev ath0 THE PROBLEM: On first look all is fine but when I try to download http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe on router C, connection freezes after receiving some kilobytes ( random ). The same file is downloadble on router A and B with no problems. This link http://kernel.org/pub/linux/kernel/v2.6/linux-2.6.22.6.tar.bz2 and many others are downloadble on on all routers A, B,C with no problem. It seems that some files freeze connection when sources by router C, but on A and B cause no problems. Example of conn. freeze: baator ~ # wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe --11:25:32-- http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe => `putty.exe' Resolving the.earth.li... 193.201.200.66 Connecting to the.earth.li|193.201.200.66|:80... connected. HTTP request sent, awaiting response... 302 Found Location: http://the.earth.li/~sgtatham/putty/0.60/x86/putty.exe [following] --11:25:32-- http://the.earth.li/~sgtatham/putty/0.60/x86/putty.exe => `putty.exe' Reusing existing connection to the.earth.li:80. HTTP request sent, awaiting response... 200 OK Length: 454,656 (444K) [application/x-msdos-program] 20% [=================> ] 93,775 --.--K/s ETA 00:47 Any Ideas? Thanks. -- Pozdrawiam. Wlodzimierz Lipert -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070910/169be913/attachment.html From dmiller at amfes.com Mon Sep 10 22:40:29 2007 From: dmiller at amfes.com (Daniel L. Miller) Date: Mon Sep 10 22:40:42 2007 Subject: [LARTC] OpenVPN routing In-Reply-To: <20070910090511.GE6156@samad.com.au> References: <46E4E5E2.2070703@amfes.com> <20070910090511.GE6156@samad.com.au> Message-ID: <46E5ABBD.2050604@amfes.com> Alex Samad wrote: > On Sun, Sep 09, 2007 at 11:36:18PM -0700, Daniel L. Miller wrote: > >> Hi! >> >> I'm trying to create a routed VPN using OpenVPN - and having trouble with >> the routing concepts involved. Let me see if I can properly describe my >> current topology: >> >> Server - >> LAN, with both local workstations and remote bridged workstations on the >> 192.168.0.0/24 network (this works without reservation). >> Server located at 192.168.0.71, 192.168.0.72, 192.168.0.222, and few >> others. >> Routed VPN, 172.27.0.0/16 network. Server is located at 172.27.0.1. >> Server can talk to clients, and clients can talk to server. >> >> My 1st goal is to allow selected server-side LAN workstations to reach the >> routed VPN workstations. The LAN should be invisible to the routed VPN. >> >> My 2nd goal is to allow selected server-side LAN workstations to reach >> networks server by routed VPN workstations as gateways [this involves >> OpenVPN more, I believe]. The LAN should still be invisible to the routed >> VPN. >> >> My server routing table is: >> 172.27.0.2 dev tun0 proto kernel scope link src 172.27.0.1 >> 192.168.20.0/24 dev vmnet8 proto kernel scope link src 192.168.20.1 >> 10.4.1.0/24 via 172.27.0.2 dev tun0 >> 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.71 >> 192.168.0.0/24 dev br1 proto kernel scope link src 192.168.0.72 >> 192.168.30.0/24 dev vmnet1 proto kernel scope link src 192.168.30.1 >> 172.27.0.0/16 via 172.27.0.2 dev tun0 >> default via 192.168.0.1 dev eth0 >> > > I think you need to use a tap device (I currently have a similar setup, but I > do not hide the LAN - infact I use openvpn to do site to site WAN) > > By hide the LAN you don't want to the openvpn clients to see the 192.168 > addresses if that is the case this is more a iptables question you will need to > nat the lan network going out, if you want in bound traffic you will need to > setup natting on the way back in as well - static though. > So do I need a source NAT directing all traffic intended for 172.27.0.0/16 from 192.168.0.0/24 to come from 172.27.0.1? > why do you want to hide the network - ? > The VPN is to provide me a secure static connection to customer's sites. However, those customers should be able to see neither each other, nor reach our internal LAN - unless the connection is initiated from our side. -- Daniel From alex at samad.com.au Tue Sep 11 00:03:31 2007 From: alex at samad.com.au (Alex Samad) Date: Tue Sep 11 00:03:42 2007 Subject: [LARTC] OpenVPN routing In-Reply-To: <46E5ABBD.2050604@amfes.com> References: <46E4E5E2.2070703@amfes.com> <20070910090511.GE6156@samad.com.au> <46E5ABBD.2050604@amfes.com> Message-ID: <20070910220331.GG6156@samad.com.au> On Mon, Sep 10, 2007 at 01:40:29PM -0700, Daniel L. Miller wrote: > Alex Samad wrote: >> On Sun, Sep 09, 2007 at 11:36:18PM -0700, Daniel L. Miller wrote: >> >>> Hi! >>> >>> I'm trying to create a routed VPN using OpenVPN - and having trouble with >>> the routing concepts involved. Let me see if I can properly describe my >>> current topology: >>> >>> Server - >>> LAN, with both local workstations and remote bridged workstations on the >>> 192.168.0.0/24 network (this works without reservation). >>> Server located at 192.168.0.71, 192.168.0.72, 192.168.0.222, and few >>> others. >>> Routed VPN, 172.27.0.0/16 network. Server is located at 172.27.0.1. >>> Server can talk to clients, and clients can talk to server. >>> >>> My 1st goal is to allow selected server-side LAN workstations to reach >>> the routed VPN workstations. The LAN should be invisible to the routed >>> VPN. >>> >>> My 2nd goal is to allow selected server-side LAN workstations to reach >>> networks server by routed VPN workstations as gateways [this involves >>> OpenVPN more, I believe]. The LAN should still be invisible to the >>> routed VPN. >>> >>> My server routing table is: >>> 172.27.0.2 dev tun0 proto kernel scope link src 172.27.0.1 >>> 192.168.20.0/24 dev vmnet8 proto kernel scope link src 192.168.20.1 >>> 10.4.1.0/24 via 172.27.0.2 dev tun0 >>> 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.71 >>> 192.168.0.0/24 dev br1 proto kernel scope link src 192.168.0.72 >>> 192.168.30.0/24 dev vmnet1 proto kernel scope link src 192.168.30.1 >>> 172.27.0.0/16 via 172.27.0.2 dev tun0 >>> default via 192.168.0.1 dev eth0 >>> >> >> I think you need to use a tap device (I currently have a similar setup, >> but I do not hide the LAN - infact I use openvpn to do site to site WAN) >> >> By hide the LAN you don't want to the openvpn clients to see the 192.168 >> addresses if that is the case this is more a iptables question you will >> need to nat the lan network going out, if you want in bound traffic you >> will need to setup natting on the way back in as well - static though. >> > So do I need a source NAT directing all traffic intended for 172.27.0.0/16 > from 192.168.0.0/24 to come from 172.27.0.1? >> why do you want to hide the network - ? >> > The VPN is to provide me a secure static connection to customer's sites. > However, those customers should be able to see neither each other, nor > reach our internal LAN - unless the connection is initiated from our side. Okay then you just want out bound, pretend the customers site is the internet, SNAT should do it (and a firewall just to be safe), you should only need one on the client's openvpn side, but because that is not in direct controll of you (physcially), I would probably suggest snat'ting again on your openpvn server or the firewall rules So At your site * Set routing either fix up the default route or add routing to each client machine (the former being the easier of the 2) * Set up a firewall * setup SNAT or push a route through to the client 'push "route 192.168.8.0 255.255.252.0"' - done in the openvpn server config (the later is probably the better - stay away from the double natting ) one the customer site * Set up SNAT hide everything coming from your site being the local lan address * set up a firewall So all traffic coming from your site will end up on the customer site with a local lan address. There is no routing back into your lan, because of a) routing b) firewall on the customer site c) firewall on the server. a & b are easy to get around because they are at the customer site. C is where you protection is. Alex > -- > Daniel > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070911/750dc568/attachment.pgp From dmiller at amfes.com Tue Sep 11 00:48:13 2007 From: dmiller at amfes.com (Daniel L. Miller) Date: Tue Sep 11 00:48:16 2007 Subject: [LARTC] OpenVPN routing In-Reply-To: <20070910220331.GG6156@samad.com.au> References: <46E4E5E2.2070703@amfes.com> <20070910090511.GE6156@samad.com.au> <46E5ABBD.2050604@amfes.com> <20070910220331.GG6156@samad.com.au> Message-ID: <46E5C9AD.7030603@amfes.com> Alex Samad wrote: > On Mon, Sep 10, 2007 at 01:40:29PM -0700, Daniel L. Miller wrote: > >> Alex Samad wrote: >> >>> On Sun, Sep 09, 2007 at 11:36:18PM -0700, Daniel L. Miller wrote: >>> >>> >>>> Hi! >>>> >>>> I'm trying to create a routed VPN using OpenVPN - and having trouble with >>>> the routing concepts involved. Let me see if I can properly describe my >>>> current topology: >>>> >>>> Server - >>>> LAN, with both local workstations and remote bridged workstations on the >>>> 192.168.0.0/24 network (this works without reservation). >>>> Server located at 192.168.0.71, 192.168.0.72, 192.168.0.222, and few >>>> others. >>>> Routed VPN, 172.27.0.0/16 network. Server is located at 172.27.0.1. >>>> Server can talk to clients, and clients can talk to server. >>>> >>>> My 1st goal is to allow selected server-side LAN workstations to reach >>>> the routed VPN workstations. The LAN should be invisible to the routed >>>> VPN. >>>> >>>> My 2nd goal is to allow selected server-side LAN workstations to reach >>>> networks server by routed VPN workstations as gateways [this involves >>>> OpenVPN more, I believe]. The LAN should still be invisible to the >>>> routed VPN. >>>> >>> I think you need to use a tap device (I currently have a similar setup, >>> but I do not hide the LAN - infact I use openvpn to do site to site WAN) >>> >>> By hide the LAN you don't want to the openvpn clients to see the 192.168 >>> addresses if that is the case this is more a iptables question you will >>> need to nat the lan network going out, if you want in bound traffic you >>> will need to setup natting on the way back in as well - static though. >>> >> So do I need a source NAT directing all traffic intended for 172.27.0.0/16 >> from 192.168.0.0/24 to come from 172.27.0.1? >> > Okay then you just want out bound, pretend the customers site is the internet, > SNAT should do it (and a firewall just to be safe), you should only need one on > the client's openvpn side, but because that is not in direct controll of you > (physcially), I would probably suggest snat'ting again on your openpvn server > or the firewall rules > I've put in a snat on the server side - seems to be working fine. > So > > At your site > > * Set routing either fix up the default route or add routing to each client > machine (the former being the easier of the 2) > * Set up a firewall > * setup SNAT or push a route through to the client 'push "route 192.168.8.0 > 255.255.252.0"' - done in the openvpn server config (the later is probably the > better - stay away from the double natting ) > > > one the customer site > * Set up SNAT hide everything coming from your site being the local lan address > * set up a firewall > > > So all traffic coming from your site will end up on the customer site with a > local lan address. > > There is no routing back into your lan, because of a) routing b) firewall on > the customer site c) firewall on the server. > > a & b are easy to get around because they are at the customer site. C is where > you protection is. > Customer's site not under my control - and running Windows so my linux options are rather limited . So I need to do everything within the server and OpenVPN. I CAN push a route to the client - but I still don't see why I need to share my LAN information with the clients at all - I just need the OpenVPN client to be a gateway for the VPN and forward VPN traffic from the remote network. -- Daniel From lists at andyfurniss.entadsl.com Tue Sep 11 03:09:09 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Tue Sep 11 03:09:19 2007 Subject: [LARTC] Classes do not receive any traffic ? In-Reply-To: <46E2581C.5090401@poczta.fm> References: <46DC12F3.6010101@poczta.fm> <46E06CA0.5080507@andyfurniss.entadsl.com> <46E2581C.5090401@poczta.fm> Message-ID: <46E5EAB5.7060305@andyfurniss.entadsl.com> bartekR wrote: > Andy Furniss wrote: >> DSl rates are hard to get right without patching tc/kernel as it uses >> ATM and the overheads on a packet are high and vary with size in >> 53byte chunks. Without patching you need to back off from the rates. > > I didn't knew that. Would You give me larger information about this ?? There may be a way to allow for them in kernel one day, but for now you need to patch htb and tc to do it. http://ace-host.stuart.id.au/russell/files/tc/tc-atm/ There is also a patch to make htb more accurate on that page. Even if you patch you still have to back of for ingress traffic or it will buffer up at your ISP/Teleco and mess up latency. The more you care about latency the more you need to sacrifice bandwidth. On 256kbit egress you are going to get latency up to 50ms because that's how long a 1500 byte packet will take to transmit. If you don't tweak htb it will be up to 100 because htb dequeues in pairs by default. If you want less you could consider lowering mtu or mss clamping. > > Andy Furniss wrote: >> To make things worse ingress shaping needs you to back off even more >> as you are at the wrong end of the bottleneck, so don't have total >> control like on egress. The slower the link the harder it is, you >> should use short child qdiscs on the htb bulk classes (limit >> parameter) and try to arrange the htb rules so that interactive >> classes (and don't have too many) get a rate much higher than they >> ever need with a higher prio than bulk. > > I will try things as You mentioned. > > I have 3 interactive classes because of Skype and p2p. I had tried to > match Skype file transfers to user classes. Unfortunately Skype > connections are encrypted. Mine first idea was to mark this packet by > matching tos (similar to matching tos of ssh and scp) but it failed > because Skype always send packet with tos=0. Is there any other way to > do that ?? > Sometimes p2p puts lots of ack packets. I don't want them to interfere > with low latencies needed for games. Sometimes it's easier to match what you know is interactive and treat the rest as bulk, you can still give acks/small packets a higher prio than the rest, but put known game traffic highest prio. I noticed you used 0 burst - IIRC 0 ended up bigger than using 10 for me - I guess you get a default if you specify 0. You should only do this for bulk traffic, for interactive it's better to let it burst through. You don't really want to delay it at all. From alex at samad.com.au Tue Sep 11 04:14:11 2007 From: alex at samad.com.au (Alex Samad) Date: Tue Sep 11 04:14:20 2007 Subject: [LARTC] OpenVPN routing In-Reply-To: <46E5C9AD.7030603@amfes.com> References: <46E4E5E2.2070703@amfes.com> <20070910090511.GE6156@samad.com.au> <46E5ABBD.2050604@amfes.com> <20070910220331.GG6156@samad.com.au> <46E5C9AD.7030603@amfes.com> Message-ID: <20070911021411.GK6156@samad.com.au> On Mon, Sep 10, 2007 at 03:48:13PM -0700, Daniel L. Miller wrote: > Alex Samad wrote: >> On Mon, Sep 10, 2007 at 01:40:29PM -0700, Daniel L. Miller wrote: >> >>> Alex Samad wrote: >>> >>>> On Sun, Sep 09, 2007 at 11:36:18PM -0700, Daniel L. Miller wrote: >>>> >>>>> Hi! >>>>> >>>>> I'm trying to create a routed VPN using OpenVPN - and having trouble >>>>> with the routing concepts involved. Let me see if I can properly >>>>> describe my current topology: >>>>> >>>>> Server - >>>>> LAN, with both local workstations and remote bridged workstations on >>>>> the >>>>> 192.168.0.0/24 network (this works without reservation). >>>>> Server located at 192.168.0.71, 192.168.0.72, 192.168.0.222, and few >>>>> others. >>>>> Routed VPN, 172.27.0.0/16 network. Server is located at 172.27.0.1. >>>>> Server can talk to clients, and clients can talk to server. >>>>> >>>>> My 1st goal is to allow selected server-side LAN workstations to reach >>>>> the routed VPN workstations. The LAN should be invisible to the routed >>>>> VPN. >>>>> >>>>> My 2nd goal is to allow selected server-side LAN workstations to reach >>>>> networks server by routed VPN workstations as gateways [this involves >>>>> OpenVPN more, I believe]. The LAN should still be invisible to the >>>>> routed VPN. >>>>> >>>> I think you need to use a tap device (I currently have a similar setup, >>>> but I do not hide the LAN - infact I use openvpn to do site to site WAN) >>>> >>>> By hide the LAN you don't want to the openvpn clients to see the 192.168 >>>> addresses if that is the case this is more a iptables question you will >>>> need to nat the lan network going out, if you want in bound traffic you >>>> will need to setup natting on the way back in as well - static though. >>>> >>> So do I need a source NAT directing all traffic intended for >>> 172.27.0.0/16 from 192.168.0.0/24 to come from 172.27.0.1? >>> >> Okay then you just want out bound, pretend the customers site is the >> internet, SNAT should do it (and a firewall just to be safe), you should >> only need one on the client's openvpn side, but because that is not in >> direct controll of you (physcially), I would probably suggest snat'ting >> again on your openpvn server or the firewall rules >> > I've put in a snat on the server side - seems to be working fine. >> So >> At your site >> >> * Set routing either fix up the default route or add routing to each >> client machine (the former being the easier of the 2) >> * Set up a firewall >> * setup SNAT or push a route through to the client 'push "route >> 192.168.8.0 255.255.252.0"' - done in the openvpn server config (the >> later is probably the better - stay away from the double natting ) >> >> >> one the customer site >> * Set up SNAT hide everything coming from your site being the local lan >> address >> * set up a firewall >> >> So all traffic coming from your site will end up on the customer site with >> a local lan address. >> >> There is no routing back into your lan, because of a) routing b) firewall >> on the customer site c) firewall on the server. >> >> a & b are easy to get around because they are at the customer site. C is >> where you protection is. >> > Customer's site not under my control - and running Windows so my linux > options are rather limited . So I need to do everything within the > server and OpenVPN. I CAN push a route to the client - but I still don't > see why I need to share my LAN information with the clients at all - I just > need the OpenVPN client to be a gateway for the VPN and forward VPN traffic > from the remote network. if you are using snat you shouldn't. if you have setup a ip network for the vpn ie if your server ip address is not in the network for the customer you will need snat'ing there else the client machine will not know how to get back. > > -- > Daniel > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070911/1264211d/attachment.pgp From dennyzulfikar at gmail.com Tue Sep 11 07:16:42 2007 From: dennyzulfikar at gmail.com (Denny Zulfikar) Date: Tue Sep 11 07:16:58 2007 Subject: [LARTC] one server with 4 port ethernet interfaces to four clients. Message-ID: Dear all, I have a server with 4 ethernet port interfaces. Also, I have four clients that will connected directly (cross-cable) to one-by-one of each port ethernet interfaces of my server. |--SERVER--\ | eth0-- ------------------ client A | eth1-- ------------------ client B | eth2-- ------------------ client C | eth3-- ------------------ client D |------------------/ I want all IP address of my server ethernet is set to same IP (ex, 172.16.1.1). IP client A : 172.16.1.11 IP client B : 172.16.1.12 IP client C : 172.16.1.13 IP client D : 172.16.1.14 how to make that configuration working? Thanks for your response. Best regards, Denny Zulfikar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070911/e35cd09d/attachment.htm From matt at acm.cs.uic.edu Tue Sep 11 07:45:54 2007 From: matt at acm.cs.uic.edu (Matt Hull) Date: Tue Sep 11 07:49:00 2007 Subject: [LARTC] one server with 4 port ethernet interfaces to four clients. In-Reply-To: References: Message-ID: depends what you haev set up. if its static then all the clients needs to be configured that way. if its dhcp then it depends on your dhcp server. i use dnsmasq and enabled /etc/ethers where i put the mac address and assigned ip there. matt On Tue, 11 Sep 2007, Denny Zulfikar wrote: > Dear all, > > I have a server with 4 ethernet port interfaces. Also, I have four clients > that will connected directly (cross-cable) to one-by-one of each port > ethernet interfaces of my server. > > |--SERVER--\ > | eth0-- ------------------ client A > | eth1-- ------------------ client B > | eth2-- ------------------ client C > | eth3-- ------------------ client D > |------------------/ > > > I want all IP address of my server ethernet is set to same IP (ex, > 172.16.1.1). > IP client A : 172.16.1.11 > IP client B : 172.16.1.12 > IP client C : 172.16.1.13 > IP client D : 172.16.1.14 > > > how to make that configuration working? > > > Thanks for your response. > > Best regards, > Denny Zulfikar > From linnewbye at gmail.com Tue Sep 11 07:59:18 2007 From: linnewbye at gmail.com (nano bug) Date: Tue Sep 11 07:59:24 2007 Subject: [LARTC] one server with 4 port ethernet interfaces to four clients. In-Reply-To: References: Message-ID: Hello, Just bridge the interfaces and assign 172.16.1.1 on the bridge interface. On 9/11/07, Denny Zulfikar wrote: > Dear all, > > I have a server with 4 ethernet port interfaces. Also, I have four clients > that will connected directly (cross-cable) to one-by-one of each port > ethernet interfaces of my server. > > |--SERVER--\ > | eth0-- ------------------ client A > | eth1-- ------------------ client B > | eth2-- ------------------ client C > | eth3-- ------------------ client D > |------------------/ > > > I want all IP address of my server ethernet is set to same IP (ex, > 172.16.1.1). > IP client A : 172.16.1.11 > IP client B : 172.16.1.12 > IP client C : 172.16.1.13 > IP client D : 172.16.1.14 > > > how to make that configuration working? > > > Thanks for your response. > > Best regards, > Denny Zulfikar > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > From stefie10 at alum.mit.edu Tue Sep 11 16:41:44 2007 From: stefie10 at alum.mit.edu (Stefanie Tellex) Date: Tue Sep 11 16:42:16 2007 Subject: [LARTC] Prioritizing VOIP traffic without sacrificing throughput In-Reply-To: <96CF49BD8B56384395D698BA99007FA32C67@exchange.pacwire.local> References: <96CF49BD8B56384395D698BA99007FA32C67@exchange.pacwire.local> Message-ID: <46E6A928.1050504@alum.mit.edu> Hi, I'm not sure what the standard way to post configs is, but here is an attempt. I know that I have to limit my bandwidth in order to to traffic shaping. The problem is that in order to get good VOIP calls, I have to throttle the bandwidth by a lot. When shaping is turned on, my download speed drops by more than half. That's fine when I'm actually making a phone call, but it is also much slower even when I'm not on the phone. So I was wondering if there was some way to turn on shaping only when I'm on the phone, and otherwise don't do anything. Thanks, Stefanie root@openwrtrouter:~$ tc -d -s qdisc qdisc pfifo_fast 0: dev eth0 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 80516522 bytes 296966 pkts (dropped 0, overlimits 0) qdisc pfifo_fast 0: dev eth1 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 134572731 bytes 169287 pkts (dropped 0, overlimits 0) qdisc sfq 8004: dev vlan1 limit 128p quantum 1600b flows 128/1024 perturb 10sec Sent 303188 bytes 3819 pkts (dropped 0, overlimits 0) qdisc sfq 8003: dev vlan1 limit 128p quantum 1600b flows 128/1024 perturb 10sec Sent 11613498 bytes 25012 pkts (dropped 0, overlimits 0) qdisc sfq 8002: dev vlan1 limit 128p quantum 1600b flows 128/1024 perturb 10sec Sent 5074 bytes 21 pkts (dropped 0, overlimits 0) qdisc sfq 8001: dev vlan1 limit 128p quantum 1600b flows 128/1024 perturb 10sec Sent 16443879 bytes 143434 pkts (dropped 0, overlimits 0) qdisc htb 1: dev vlan1 r2q 1 default 40 direct_packets_stat 0 ver 3.17 Sent 28365639 bytes 172286 pkts (dropped 0, overlimits 11574) qdisc red 8008: dev imq0 limit 64000b min 8000b max 32000b ewma 4 Plog 21 Scell_log 11 Sent 6280529 bytes 14541 pkts (dropped 12, overlimits 12) marked 0 early 12 pdrop 0 other 0 qdisc red 8007: dev imq0 limit 64000b min 8000b max 32000b ewma 4 Plog 21 Scell_log 11 Sent 149830593 bytes 145595 pkts (dropped 1893, overlimits 1893) backlog 4476b 3p marked 0 early 1893 pdrop 0 other 0 qdisc red 8006: dev imq0 limit 64000b min 8000b max 32000b ewma 4 Plog 21 Scell_log 11 Sent 28810 bytes 157 pkts (dropped 0, overlimits 0) marked 0 early 0 pdrop 0 other 0 qdisc red 8005: dev imq0 limit 64000b min 8000b max 32000b ewma 4 Plog 21 Scell_log 11 Sent 6794403 bytes 24493 pkts (dropped 0, overlimits 0) marked 0 early 0 pdrop 0 other 0 qdisc htb 1: dev imq0 r2q 1 default 40 direct_packets_stat 0 ver 3.17 Sent 162934335 bytes 184786 pkts (dropped 1905, overlimits 224775) backlog 3p Leigh Sharpe wrote: > Can you post your configs? > Essentially, in order to keep the latency as low as possible, you need > to make sure that you never exceed the bandwidth of the upstream link. > Whilst doing this, you are able to ensure that your VOIP performance is > good. If you are not throttling your bandwidth, then just > re-prioritising your VOIP traffic will not help. As soon as you do a > large download, your link gets saturated and the latency goes up. Once > that happens, even if your router is re-prioritising the VOIP traffic, > it is still latent, which means that your phone performance will suffer. > By setting the upload and download speeds lower than the line speed, you > ensure that the line does not get latent, and then your re-prioritising > is effective. > Most people seem to be of the opinion that around 80% or so of the line > speed is a good rule of thumb. > > -----Original Message----- > From: lartc-bounces@mailman.ds9a.nl > [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Stefanie Tellex > Sent: Friday, 7 September 2007 11:49 PM > To: lartc@mailman.ds9a.nl > Subject: [LARTC] Prioritizing VOIP traffic without sacrificing > throughput > > Hi, > > I would like to prioritize VOIP traffic when we use the phone, but other > times not do traffic shaping at all. > > Right now I have my openwrt router set up with htb to do shaping. In > order to get it to work well I had to set my upload and download speeds > much lower than my line speed. With these settings, I get good VOIP > reception even while surfing the net and doing a long download. > However, even when I'm not using the phone, a long download is more than > twice as slow than it is with shaping turned off. > > Is there some way to configure it to only do shaping when it detects > VOIP packets, and otherwise not limit traffic? > > Thanks, > > Stefanie > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -------------- next part -------------- ################################################################################ ## ## User configuration of the QoS script ## ## At a minimum, set the DOWNLOAD and UPLOAD variables below. Setting these ## slightly slower than the actual line speeds is critical to good QoS ## performance. With download and upload speeds set too high, the traffic queues ## in the modem (upload) and on the ISP side (download) will quickly fill up. As ## these queues can be very long --on the order of several seconds-- filling ## them will prohibit any meaningful traffic shaping. ## ## The default configuration, with the proper upload and download speeds set, ## should be adequate for most situations to separate out low-priority peer-to ## -peer traffic (eMule, Bittorrent, etc.) from interactive traffic such as web ## browsing and SSH sessions. ## ## The configuration can be refined by modifying the settings below. As an ## example, consider including support for VoIP. This may be accomplished by ## adding the IP address of a VoIP adapter to the IP_EXPR variable (e.g. ## IP_EXPR="192.168.1.10"). Doing so will elevate the status of traffic to and ## from the VoIP box to 'express'. ## ## In general, the configuration of the QoS script requires the setting of ## several variables. Most variables expect a space separated list of elements ## (ports, IP addresses, protocols). Adding an element to a list will, based on ## the variable name, either promote a certain connection to 'express' (highest ## priority) or 'priority' status, or demote it to 'bulk' status. The default ## status for all traffic is 'normal'. An example of setting a configuration ## variable to classify traffic is the statement ## ## TCP_PRIO="80 443" ## ## Including this line in the configuration will ensure that all TCP traffic to ## the listed ports (in this particular case for the http and https protocols) ## will be treated as 'priority' traffic. ## ## Another example (from the default configuration) is: ## ## TCP_BULK="1024: 21" ## ## which adds port 21 (the port used for ftp) and all ports 1024 and up to the ## list of destination ports for 'bulk' traffic. The result is that ftp ## downloads get a low priority, as does traffic to non-reserved ports (mostly ## peer-to-peer protocols). The notation '1024:' indicates a port range, in this ## case including all ports 1024 and higher. Another example of a port range is ## ':10' which means all ports from 0 to 10. A range from 10 to 20 is denoted as ## '10:20'. ## ## It is important to note that some variables take precedence over others. This ## becomes significant in cases where the same traffic is identified by ## different rules. An example is adding a UDP game port above 1024 to the ## express list. In the default configuration, all high ports (1024:) are ## included in the UDP_BULK variable. Without knowing the order of the rules, it ## is not possible to determine what the status of traffic to the game port will ## be. It turns out, the traffic will be classified as priority, since UDP_EXPR ## takes precedence over UDP_BULK. ## ## The order of the variables is (lowest precedence first): L7_BULK, L7_PRIO, ## L7_EXPR, IPP2P_BULK, IPP2P_PRIO, IPP2P_EXPR, TCP_BULK, UDP_BULK, TCP_PRIO, ## UDP_PRIO, TCP_EXPR, UDP_EXPR, TOS_BULK, TOS_PRIO, TOS_EXPR, DSCP_BULK, ## DSCP_PRIO, DSCP_EXPR, IP_BULK, IP_PRIO, IP_EXPR ## ################################################################################ # Download speed in kilobits per second # Set 5% - 10% lower than *measured* line speed (set to zero to disable) DOWNLOAD=200 # Upload speed in kilobits per second # Set 5% - 10% lower than *measured* line speed (set to zero to disable) UPLOAD=70 # Bulk, prio and express Layer 7 protocol matches L7_BULK="" L7_PRIO="" L7_EXPR="" # IPP2P protocol matches # Default 'ipp2p' includes all well-knows peer-to-peer protocols IPP2P_BULK="ipp2p" IPP2P_PRIO="" IPP2P_EXPR="" # Destination ports for classifying 'bulk' traffic TCP_BULK="1024: 21" UDP_BULK="1024:" # Destination ports for classifying 'priority' traffic TCP_PRIO="22 23" UDP_PRIO="" # Destination ports for classifying 'express' traffic TCP_EXPR="53" UDP_EXPR="53" # ToS (Type of Service) matches (egress only) #TOS_BULK="0x02" #TOS_PRIO="" #TOS_EXPR="0x10" # DSCP (Differentiated Services Code Point) matches (egress only) DSCP_BULK="" DSCP_PRIO="" DSCP_EXPR="" # LAN IP addresses for 'bulk', 'priority' and 'express' traffic # IP address can include a port number or range, such as 192.168.1.1:80 or # 192.168.1.1:5900:5910. To include all ports, specify the IP address only. IP_BULK="" IP_PRIO="" IP_EXPR="192.168.2.30" # Define custom QoS interface. Defaults to wan interface. #QOS_IF=eth1 # Enable 'small UDP packets get priority' feature. # Sets the maximum length for priority UDP packets. UDP_LENGTH=500 # Set to 1 to enable logging of packets to syslog DEBUG=0 From indunil75 at gmail.com Wed Sep 12 10:10:44 2007 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Wed Sep 12 10:10:58 2007 Subject: [LARTC] ASTERISK BOX behind a filewall Message-ID: <7ed6b0aa0709120110l5674c265yace30a1cef9b91d3@mail.gmail.com> Hi All, I want to put a ASTERISK BOX bend a Firewall. So I have given below rules. iptables -A FORWARD -p udp -d 192.168.101.30 -m multiport --dports 3478,4569,5060 -m state --state NEW -j ACCEPT iptables -A FORWARD -p udp -d 192.168.101.30 --dport 10000:20000 -m state --state NEW -j ACCEPT iptables -t nat -A PREROUTING -p udp -i eth0 -d 1.2.3.4 -m multiport --dports 3478,4569,5060 -j DNAT --to-destination 192.168.101.30 iptables -t nat -A PREROUTING -p udp -i eth0 -d 1.2.3.4 --dport 10000:20000 -j DNAT --to-destination 192.168.101.30 pls assume 1.2.3.4 is the ip that connects to the internet. I use Xlite sotphone to talk. I can register. it says user ready. I can dial extentions as well. But , WHEN I talk , Both parties can not hear anyrhing. in rtp.conf file, PORT 10000 to 20000 are also available. Hope to hear from you. -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070912/975951f3/attachment.html From fernando.serto at memetrics.com Wed Sep 12 10:18:06 2007 From: fernando.serto at memetrics.com (Fernando Serto) Date: Wed Sep 12 10:18:17 2007 Subject: [LARTC] ASTERISK BOX behind a filewall Message-ID: Hi, you should try and get support for asterisk related stuff on #asterisk on freenode. There's a good SIP over NAT guide at: 18:13 < jbot> [~sipnat] Quick guide on configuring * + SIP behind NAT : http://www.aocomputing.net/?p=3 otherwise check the WIKI at: http://www.voip-info.org/wiki/view/Asterisk+SIP+NAT+solutions When you're dialing from your xlite, are you trying another extension on the same network? Cheers, Fernando > -----Original Message----- > From: Indunil Jayasooriya [mailto:indunil75@gmail.com] > Sent: Wednesday, 12 September 2007 6:11 PM > To: CentOS mailing list; LARTC > Subject: [LARTC] ASTERISK BOX behind a filewall > > Hi All, > > I want to put a ASTERISK BOX bend a Firewall. So I have given below > rules. > > > iptables -A FORWARD -p udp -d 192.168.101.30 - > m multiport --dports 3478,4569,5060 -m state --state NEW -j ACCEPT > iptables -A FORWARD -p udp -d 192.168.101.30 - > -dport 10000:20000 -m state --state NEW -j ACCEPT > > iptables -t nat -A PREROUTING -p udp -i eth0 -d 1.2.3.4 -m multiport -- > dports 3478,4569,5060 -j DNAT --to-destination > 192.168.101.30 > iptables -t nat -A PREROUTING -p udp -i eth0 -d 1.2.3.4 --dport > 10000:20000 -j DNAT --to-destination 192.168.101.30 > > > pls assume 1.2.3.4 is the ip that connects to the internet. > > > I use Xlite sotphone to talk. I can register. it says user ready. I can > dial extentions as well. But , WHEN I talk , Both parties can not hear > anyrhing. > > in rtp.conf file, PORT 10000 to 20000 are also available. > > > Hope to hear from you. > > > -- > Thank you > Indunil Jayasooriya From indunil75 at gmail.com Wed Sep 12 10:37:56 2007 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Wed Sep 12 10:38:02 2007 Subject: [LARTC] ASTERISK BOX behind a filewall In-Reply-To: References: Message-ID: <7ed6b0aa0709120137g5dd61e1ai4eacd4463da1c03a@mail.gmail.com> > > > > When you're dialing from your xlite, are you trying another extension on > the same network? YES > > > > -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070912/a0c725a8/attachment.htm From jonathan.gazeley at bristol.ac.uk Wed Sep 12 13:34:31 2007 From: jonathan.gazeley at bristol.ac.uk (Jonathan Gazeley) Date: Wed Sep 12 13:34:40 2007 Subject: [LARTC] tc not matching In-Reply-To: <46D7700C.4050105@andyfurniss.entadsl.com> References: <46D5843C.6020606@bristol.ac.uk> <46D7045D.6080407@andyfurniss.entadsl.com> <46D7700C.4050105@andyfurniss.entadsl.com> Message-ID: <46E7CEC7.6060806@bristol.ac.uk> Andy, Thanks for your script. I've been looking at it a lot but still can't get it to work in the way I need it to. While the script runs without errors echoed to ssh, it doesn't have the desired effect. The clients have a downlink shaped to 128kbit. However, each of my two test clients will happily download at rates much higher than 128kbit. Client 1 gets a rate of 160kB/s and Client 2 gets a rate of 250kB/s (yes, kilobytes, not kilobit). I have no idea why this is and it's starting to get confusing. I know you mentioned that CPU timing wouldn't be reliable on dual-core CPUs (I have dual core) but you'd think the rate would be out by a factor of 2. Here, I'm getting a factor of 10 for one client and a factor of 16 for the other. When I actually went to the console of the box earlier, there was loads of output from your script echoed to the console, each one saying that the quantum was too small and I should consider adjusting r2q. I don't really understand what this means. Any advice gratefully received (from anyone else on the list as well as Andy!) Cheers, Jonathan Andy Furniss wrote: > I managed to have a play - CBQ doesn't seem too accurate it let > netperf get throughput of about 180kbit. HTB was OK so I used that. > > Below is what I tested - I wouldn't consider it finished because it > would probably be nicer to have SFQs on the bulk classes and something > shorter on the interactives. > > I don't know how much memory this does/could use, if you don't specify > child qdiscs htb uses pfifos with a length taken from txqueuelen (1000 > on eth) so that adds up to quite a bit. With window scaling on and a > netperf running for each IP I managed to backlog >200 packets on each. > > Rather than police you could, if using recentish 2.6 use ifb and have > the same setup on ingress eth0. Or if you don't do nat on the same box > on the wan. If you do do nat and don't have ifb then you need to use > netfilter to mark by ip and match the marks. > > If the hosts are wireless, then there may be other ways to make things > better - not that I have wireless myself, but if there is much packet > loss I always thought it would be better to proxy wan and have > different MTU/MSS for the wlan - maybe also use one of the tcp > congestion controls that's less sensitive to random loss. > > It would be more elegant to use tc's hashing but I've not done that > before. The filters are nested so only the IP matches see upto all the > traffic. I just matched tcp length <128 / not tcp for interactive. > > If you want counters for filter hits > > tc -s filter ls dev eth0 > for top level > > tc -s filter ls dev eth0 parent 1:1 > for the children > > tc -s class ls dev eth0 > for loads of htb data - beware the rates use a long average, it takes > 100sec for them to be right for me. > > Andy > > !/bin/sh > #set -x > > # Interfaces > LAN=eth0 > DOWNLINK=128 > > # IP range in each subnet > LOW_IP=2 > HIGH_IP=254 > > # Flush existing rules > tc qdisc del dev $LAN root > > tc qdisc add dev $LAN root handle 1: htb > > # Set useful counter > total=0 > > # Apply rules for all included subnets > for i in `seq $LOW_IP $HIGH_IP` > do > total=$((total+1)) > echo 172.19.123.$i > tc class add dev $LAN parent 1: classid 1:$total htb rate > ${DOWNLINK}kbit > tc class add dev $LAN parent 1:$total classid 1:a$total htb rate > 100kbit ceil ${DOWNLINK}kbit prio 0 > tc class add dev $LAN parent 1:$total classid 1:b$total htb rate > 28kbit ceil ${DOWNLINK}kbit prio 1 > tc filter add dev $LAN parent 1: protocol ip prio 1 u32 match ip src > 172.19.123.$i flowid 1:$total > tc filter add dev $LAN parent 1:$total protocol ip prio 2 u32 match > ip protocol 6 0xff match u16 0x0000 0xff80 at 2 flowid 1:a$total > tc filter add dev $LAN parent 1:$total protocol ip prio 3 u32 match > ip protocol 6 0xff flowid 1:b$total > tc filter add dev $LAN parent 1:$total protocol ip prio 4 u32 match > u32 0 0 flowid 1:a$total > done > > > > -- ------------------------ Jonathan Gazeley ResNet | Wireless & VPN Team Information Systems & Computing University of Bristol ------------------------ From rodrigocc at gmail.com Wed Sep 12 19:32:22 2007 From: rodrigocc at gmail.com (Rodrigo Campos) Date: Wed Sep 12 19:32:27 2007 Subject: [LARTC] ASTERISK BOX behind a filewall In-Reply-To: <7ed6b0aa0709120110l5674c265yace30a1cef9b91d3@mail.gmail.com> References: <7ed6b0aa0709120110l5674c265yace30a1cef9b91d3@mail.gmail.com> Message-ID: <33d560f70709121032y442eed2an288e093aced80a19@mail.gmail.com> On 9/12/07, Indunil Jayasooriya wrote: > Hi All, > > I want to put a ASTERISK BOX bend a Firewall. So I have given below rules. > > > iptables -A FORWARD -p udp -d 192.168.101.30 -m multiport --dports > 3478,4569,5060 -m state --state NEW -j ACCEPT > iptables -A FORWARD -p udp -d 192.168.101.30 --dport 10000:20000 -m state > --state NEW -j ACCEPT > > iptables -t nat -A PREROUTING -p udp -i eth0 -d 1.2.3.4 -m multiport > --dports 3478,4569,5060 -j DNAT --to-destination > 192.168.101.30 > iptables -t nat -A PREROUTING -p udp -i eth0 -d 1.2.3.4 --dport 10000:20000 > -j DNAT --to-destination 192.168.101.30 > > pls assume 1.2.3.4 is the ip that connects to the internet. > > > I use Xlite sotphone to talk. I can register. it says user ready. I can dial > extentions as well. But , WHEN I talk , Both parties can not hear anyrhing. > It doesnt seems (to me) to be fault of iptables, but are you "snatting" that pc with address "1.2.3.4" ? If you aren't, perhaps its that. If its not that, i think you should check your sip.conf for externip, localnetwork, canreinvite and those things(or something similar, i dont remember now how that options are written). Hope it helps Thanks, Rodrigo From lists at andyfurniss.entadsl.com Wed Sep 12 22:46:41 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Wed Sep 12 22:46:35 2007 Subject: [LARTC] tc not matching In-Reply-To: <46E7CEC7.6060806@bristol.ac.uk> References: <46D5843C.6020606@bristol.ac.uk> <46D7045D.6080407@andyfurniss.entadsl.com> <46D7700C.4050105@andyfurniss.entadsl.com> <46E7CEC7.6060806@bristol.ac.uk> Message-ID: <46E85031.9090609@andyfurniss.entadsl.com> Jonathan Gazeley wrote: > Andy, > > Thanks for your script. I've been looking at it a lot but still can't > get it to work in the way I need it to. While the script runs without > errors echoed to ssh, it doesn't have the desired effect. The clients > have a downlink shaped to 128kbit. However, each of my two test clients > will happily download at rates much higher than 128kbit. Client 1 gets a > rate of 160kB/s and Client 2 gets a rate of 250kB/s (yes, kilobytes, not > kilobit). I have no idea why this is and it's starting to get confusing. > I know you mentioned that CPU timing wouldn't be reliable on dual-core > CPUs (I have dual core) but you'd think the rate would be out by a > factor of 2. Here, I'm getting a factor of 10 for one client and a > factor of 16 for the other. I don't know how much the CPU timing would affect things. I assume you changed src to dst in the match. Are you testing downloads from the wan or hosted on the box doing the shaping? After an overrate download can you post the output of - tc -s class ls dev eth0 | grep "parent 1:X" -A 4 changing the X in "parent 1:X" to one less than the last part of the IP address of the test machine. > > When I actually went to the console of the box earlier, there was loads > of output from your script echoed to the console, each one saying that > the quantum was too small and I should consider adjusting r2q. I don't > really understand what this means. That shouldn't really hurt too much, to fix it you could ether add quantum 1514 to each of the two child classes or r2q 2 to the root class. FWIW I tried browsing with this setup and downloading aswell and it's not very nice with such a long queue. An ISP/teleco would never have that long a fifo on a 128kbit line. It would be better to add an sfq to the bulk class or limit the length of the fifo. Andy. From jonathan.gazeley at bristol.ac.uk Thu Sep 13 12:26:28 2007 From: jonathan.gazeley at bristol.ac.uk (Jonathan Gazeley) Date: Thu Sep 13 12:26:50 2007 Subject: [LARTC] tc not matching In-Reply-To: <46E85031.9090609@andyfurniss.entadsl.com> References: <46D5843C.6020606@bristol.ac.uk> <46D7045D.6080407@andyfurniss.entadsl.com> <46D7700C.4050105@andyfurniss.entadsl.com> <46E7CEC7.6060806@bristol.ac.uk> <46E85031.9090609@andyfurniss.entadsl.com> Message-ID: <46E91054.6070105@bristol.ac.uk> Andy Furniss wrote: > I assume you changed src to dst in the match. Yes I did this some time ago. > Are you testing downloads from the wan or hosted on the box doing the > shaping? All downloads are coming from the WAN via eth1 - nothing else runs on this box except NAT and shaping. > After an overrate download can you post the output of - > > tc -s class ls dev eth0 | grep "parent 1:X" -A 4 > > changing the X in "parent 1:X" to one less than the last part of the > IP address of the test machine. Results appended. Sadly everything seems to show zero bytes. I checked that everything is flowing through the correct interface, and yes it appears to do so. This box has 3 interfaces. eth0 is the one facing the NAT clients, eth1 is the public internet connection and eth2 is a management interface. Only ssh traffic to my workstation is flowing on eth2. I see two-way FTP traffic flowing on eth1 (I am downloading large files from an FTP server for testing) but on eth0, i only see traffic LEAVING the NAT clients and entering my shaping box. I have no idea why I don't see traffic with destination of the NAT clients. There is no way that the traffic could be "leaking" around my shaping box - eth0 is physically connected to a 5 port switch with my test clients on. >> When I actually went to the console of the box earlier, there was >> loads of output from your script echoed to the console, each one >> saying that the quantum was too small and I should consider adjusting >> r2q. I don't really understand what this means. > That shouldn't really hurt too much, to fix it you could ether add > quantum 1514 to each of the two child classes or r2q 2 to the root class. Adding r2q seemed to work. > FWIW I tried browsing with this setup and downloading aswell and it's > not very nice with such a long queue. An ISP/teleco would never have > that long a fifo on a 128kbit line. It would be better to add an sfq > to the bulk class or limit the length of the fifo. Sorry for such a simplistic question - how might this be done? However I'm not overly worried about making the quality of service perfect - I just need it to be limited bandwidth. The reason why I want such a restricted service is because the shaped NAT clients of this box are going to be the "naughty" users on the university network who will have their 100Mbit service reduced to 128kbit for a week as punishment for rulebreaking etc. So if people complain about the occasional dropped packet - they shouldn't have been downloading copyright material in the first place! ------------------------ Jonathan Gazeley ResNet | Wireless & VPN Team Information Systems & Computing University of Bristol ------------------------ [root@pokey ~]# tc -s class ls dev eth0 | grep "parent 1:14" -A 4 class htb 1:b148 parent 1:148 prio 1 rate 28000bit ceil 128000bit burst 1603b cburst 1616b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 458000 ctokens: 101000 -- class htb 1:a149 parent 1:149 prio 0 rate 100000bit ceil 128000bit burst 1612b cburst 1616b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 128960 ctokens: 101000 -- class htb 1:a148 parent 1:148 prio 0 rate 100000bit ceil 128000bit burst 1612b cburst 1616b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 128960 ctokens: 101000 -- class htb 1:b149 parent 1:149 prio 1 rate 28000bit ceil 128000bit burst 1603b cburst 1616b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 458000 ctokens: 101000 -- class htb 1:b146 parent 1:146 prio 1 rate 28000bit ceil 128000bit burst 1603b cburst 1616b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 458000 ctokens: 101000 -- class htb 1:a147 parent 1:147 prio 0 rate 100000bit ceil 128000bit burst 1612b cburst 1616b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 128960 ctokens: 101000 -- class htb 1:a146 parent 1:146 prio 0 rate 100000bit ceil 128000bit burst 1612b cburst 1616b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 128960 ctokens: 101000 -- class htb 1:b147 parent 1:147 prio 1 rate 28000bit ceil 128000bit burst 1603b cburst 1616b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 458000 ctokens: 101000 -- class htb 1:b144 parent 1:144 prio 1 rate 28000bit ceil 128000bit burst 1603b cburst 1616b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 458000 ctokens: 101000 -- class htb 1:a145 parent 1:145 prio 0 rate 100000bit ceil 128000bit burst 1612b cburst 1616b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 128960 ctokens: 101000 -- class htb 1:a144 parent 1:144 prio 0 rate 100000bit ceil 128000bit burst 1612b cburst 1616b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 128960 ctokens: 101000 -- class htb 1:b145 parent 1:145 prio 1 rate 28000bit ceil 128000bit burst 1603b cburst 1616b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 458000 ctokens: 101000 -- class htb 1:b142 parent 1:142 prio 1 rate 28000bit ceil 128000bit burst 1603b cburst 1616b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 458000 ctokens: 101000 -- class htb 1:a143 parent 1:143 prio 0 rate 100000bit ceil 128000bit burst 1612b cburst 1616b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 128960 ctokens: 101000 -- class htb 1:a142 parent 1:142 prio 0 rate 100000bit ceil 128000bit burst 1612b cburst 1616b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 128960 ctokens: 101000 -- class htb 1:b143 parent 1:143 prio 1 rate 28000bit ceil 128000bit burst 1603b cburst 1616b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 458000 ctokens: 101000 -- class htb 1:b14 parent 1:14 prio 1 rate 28000bit ceil 128000bit burst 1603b cburst 1616b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 458000 ctokens: 101000 -- class htb 1:b140 parent 1:140 prio 1 rate 28000bit ceil 128000bit burst 1603b cburst 1616b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 458000 ctokens: 101000 -- class htb 1:a141 parent 1:141 prio 0 rate 100000bit ceil 128000bit burst 1612b cburst 1616b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 128960 ctokens: 101000 -- class htb 1:a14 parent 1:14 prio 0 rate 100000bit ceil 128000bit burst 1612b cburst 1616b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 128960 ctokens: 101000 -- class htb 1:a140 parent 1:140 prio 0 rate 100000bit ceil 128000bit burst 1612b cburst 1616b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 128960 ctokens: 101000 -- class htb 1:b141 parent 1:141 prio 1 rate 28000bit ceil 128000bit burst 1603b cburst 1616b Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 0 borrowed: 0 giants: 0 tokens: 458000 ctokens: 101000 From iloose2 at gmail.com Thu Sep 13 22:04:29 2007 From: iloose2 at gmail.com (William Gemmill) Date: Thu Sep 13 22:04:34 2007 Subject: [LARTC] Routing for Dual ISP connections Message-ID: <2056e8ae0709131304m6f43d074l208eca3edd07b6ce@mail.gmail.com> I'm trying to connect to two ISPs the connections are as follows: Eth0 IP: 192.168.1.1 Mask: 255.255.255.0 Eth1 IP: 216.167.217.241 Mask: 255.255.255.0 Eth2 IP: 216.167.208.40 Mask: 255.255.255.0 Here are the commands to set things up: #Load modules insmod /lib/modules/2.6.19.2- pyramid.metrix.net/kernel/net/ipv4/multipath_drr.ko insmod /lib/modules/2.6.19.2- pyramid.metrix.net/kernel/net/ipv4/multipath_random.ko insmod /lib/modules/2.6.19.2- pyramid.metrix.net/kernel/net/ipv4/multipath_wrandom.ko insmod /lib/modules/2.6.19.2- pyramid.metrix.net/kernel/net/ipv4/multipath_rr.ko #Source IP routing for Eth2 ip rule add from 216.167.208.40 lookup 2 ip route add 192.168.1.0/24 via 192.168.1.1 table 2 ip route add 0/0 via 216.167.208.1 table 2 #Source IP routing for Eth1 ip rule add from 216.167.217.241 lookup 3 ip route add 192.168.1.0/24 via 192.168.1.1 table 3 ip route add 0/0 via 216.167.217.1 table 3 ip route add default equalize \ nexthop via 216.167.208.1 dev eth2 \ nexthop via 216.167.217.1 dev eth1 #Setup NAT iptables -F -t filter iptables -F -t nat iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE When the ip route add default equalize command is run it adds one default route to the routing table: pyramid:~# route -vn Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 216.167.217.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 216.167.208.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 0.0.0.0 216.167.208.1 0.0.0.0 UG 0 0 0 eth2 However looking at ip route show both routes are present: pyramid:~# ip route show 216.167.217.0/24 dev eth1 proto kernel scope link src 216.167.217.241 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1 216.167.208.0/24 dev eth2 proto kernel scope link src 216.167.208.40 default equalize nexthop via 216.167.208.1 dev eth2 weight 1 nexthop via 216.167.217.1 dev eth1 weight 1 If I change the order of the routes for the ip route equalize command the first route listed there is always show in the routing table. But the route that is not listed by route -vn is always used. I do not understand why a single default gateway is being added. To my understanding no default gateways should be shown by route -vn. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070913/d1c1e00e/attachment.html From lists at andyfurniss.entadsl.com Fri Sep 14 01:43:03 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Fri Sep 14 01:43:04 2007 Subject: [LARTC] tc not matching In-Reply-To: <46E91054.6070105@bristol.ac.uk> References: <46D5843C.6020606@bristol.ac.uk> <46D7045D.6080407@andyfurniss.entadsl.com> <46D7700C.4050105@andyfurniss.entadsl.com> <46E7CEC7.6060806@bristol.ac.uk> <46E85031.9090609@andyfurniss.entadsl.com> <46E91054.6070105@bristol.ac.uk> Message-ID: <46E9CB07.6070101@andyfurniss.entadsl.com> Jonathan Gazeley wrote: > Results appended. Sadly everything seems to show zero bytes. I checked > that everything is flowing through the correct interface, and yes it > appears to do so. This box has 3 interfaces. eth0 is the one facing the > NAT clients, eth1 is the public internet connection and eth2 is a > management interface. Only ssh traffic to my workstation is flowing on > eth2. I see two-way FTP traffic flowing on eth1 (I am downloading large > files from an FTP server for testing) but on eth0, i only see traffic > LEAVING the NAT clients and entering my shaping box. I have no idea why > I don't see traffic with destination of the NAT clients. There is no way > that the traffic could be "leaking" around my shaping box - eth0 is > physically connected to a 5 port switch with my test clients on. That's strange - so there are no vlans involved and tcpdump -nnei eth0 only sees traffic coming in? If the nic is a gig eth, I wonder if its drivers are doing something strange to do with segmentation offload. You should be able to turn it off with ethtool. ethtool -k eth0 to see if it is on and turn it off with ethtool -k eth0 tso off >> FWIW I tried browsing with this setup and downloading aswell and it's >> not very nice with such a long queue. An ISP/teleco would never have >> that long a fifo on a 128kbit line. It would be better to add an sfq >> to the bulk class or limit the length of the fifo. > Sorry for such a simplistic question - how might this be done? However > I'm not overly worried about making the quality of service perfect - I > just need it to be limited bandwidth. The reason why I want such a > restricted service is because the shaped NAT clients of this box are > going to be the "naughty" users on the university network who will have > their 100Mbit service reduced to 128kbit for a week as punishment for > rulebreaking etc. So if people complain about the occasional dropped > packet - they shouldn't have been downloading copyright material in the > first place! Ahh I see - actually packet loss could make things nicer by getting the tcp senders congestion control to back off. The command for sfq would be tc qdisc add dev $LAN parent 1:b$total handle b$total: sfq limit 30 in the loop under the bulk class. You could just have pfifo instead of sfq if you wanted, and the limit of 30 can be changed. sfq has a parameter called perturb, which can make it fairer at the expense of packet reordering, but it can also make single downloads back off a bit too much, so I didn't use it. The script is not the best example bash wise as I just adapted it from the one you started with. It could be done better - eg my mixing of hex and decimal for class ids is not ideal and total is not needed as such, but it should work. Andy. From indunil75 at gmail.com Fri Sep 14 09:36:56 2007 From: indunil75 at gmail.com (Indunil Jayasooriya) Date: Fri Sep 14 09:37:19 2007 Subject: [LARTC] pkgs to monitor traffic Message-ID: <7ed6b0aa0709140036j4fc22d2dgafc475759dc09b77@mail.gmail.com> Hi all, I have a 256kbit link where I have shaped 64kbit for downloading @ one ethernet. (eth1) I am using mrtg to monior it. it works fine. In addition to that, I am looking for some other pkgs. Are there good pkgs for that purpose? below is my script for dowmloading. I am looking for pkgs that suit below script. #traffic shaping on eth1 (Downloading) INTERFAZ_DMZ=eth1 FULLBANDWIDTH=256 BANDWIDTH4DMZ=64 tc qdisc del root dev $INTERFAZ_DMZ tc qdisc add dev $INTERFAZ_DMZ root handle 1: htb r2q 4 tc class add dev $INTERFAZ_DMZ parent 1: classid 1:1 htb rate "$FULLBANDWIDTH"Kbit tc class add dev $INTERFAZ_DMZ parent 1:1 classid 1:10 htb rate "$BANDWIDTH4DMZ"Kbit tc qdisc add dev $INTERFAZ_DMZ parent 1:10 handle 10: sfq perturb 10 tc filter add dev $INTERFAZ_DMZ parent 1: protocol ip prio 1 u32 match ip sport 80 0xffff match ip dst 192.168.100.0/24 classid 1:10 tc filter add dev $INTERFAZ_DMZ parent 1: protocol ip prio 1 u32 match ip sport 443 0xffff match ip dst 192.168.100.0/24 classid 1:10 HOPE TO HEAR FROM YOU -- Thank you Indunil Jayasooriya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070914/5bca48d1/attachment.htm From jonathan.gazeley at bristol.ac.uk Fri Sep 14 10:08:16 2007 From: jonathan.gazeley at bristol.ac.uk (Jonathan Gazeley) Date: Fri Sep 14 10:08:22 2007 Subject: [LARTC] tc not matching In-Reply-To: <46E9CB07.6070101@andyfurniss.entadsl.com> References: <46D5843C.6020606@bristol.ac.uk> <46D7045D.6080407@andyfurniss.entadsl.com> <46D7700C.4050105@andyfurniss.entadsl.com> <46E7CEC7.6060806@bristol.ac.uk> <46E85031.9090609@andyfurniss.entadsl.com> <46E91054.6070105@bristol.ac.uk> <46E9CB07.6070101@andyfurniss.entadsl.com> Message-ID: <46EA4170.3020203@bristol.ac.uk> Andy Furniss wrote: > That's strange - so there are no vlans involved and tcpdump -nnei eth0 > only sees traffic coming in? Nope, no vlans. And yes, both tcpdump and tethereal see only on the outgoing (i.e. clients to internet) ack packets, but not the actual incoming data packets. Like I said, it can't be a routing problem because the only physical route those packets can take between the NAT clients and the internet is via eth0 on this box. All four interfaces on the box I'm using are Intel ones, so not just some cheap rubbish! Probably unlikely to be drivers too? > > If the nic is a gig eth, I wonder if its drivers are doing something > strange to do with segmentation offload. You should be able to turn it > off with ethtool. > > ethtool -k eth0 to see if it is on and turn it off with > > ethtool -k eth0 tso off All the interfaces are gigabit. Segmentation offload was enabled on eth0 - now it's off but appears to have had no effect on the bandwidth :( >>> FWIW I tried browsing with this setup and downloading aswell and >>> it's not very nice with such a long queue. An ISP/teleco would never >>> have that long a fifo on a 128kbit line. It would be better to add >>> an sfq to the bulk class or limit the length of the fifo. >> Sorry for such a simplistic question - how might this be done? >> However I'm not overly worried about making the quality of service >> perfect - I just need it to be limited bandwidth. The reason why I >> want such a restricted service is because the shaped NAT clients of >> this box are going to be the "naughty" users on the university >> network who will have their 100Mbit service reduced to 128kbit for a >> week as punishment for rulebreaking etc. So if people complain about >> the occasional dropped packet - they shouldn't have been downloading >> copyright material in the first place! > > Ahh I see - actually packet loss could make things nicer by getting > the tcp senders congestion control to back off. The command for sfq > would be > > tc qdisc add dev $LAN parent 1:b$total handle b$total: sfq limit 30 > > in the loop under the bulk class. Yep - just tried this too. Again, this appears to have zero effect on the bandwidth. Client 1 still downloads flatly at 166kb/s and Client 2 at 250kb/s. Something pretty weird is going on. Actually a colleague here has offered to set up a Cisco router to do the shaping and let my box just do the NAT. Start of term is imminent and this MUST be live within a week! Thanks for all your help though, you've been excellent and I've learned loads of stuff. As a relative beginner with Linux, this is yet another experience where something didn't work as it should, despite the advice of documentation, colleagues, lists, websites, etc... Cheers, Jonathan ------------------------ Jonathan Gazeley ResNet | Wireless & VPN Team Information Systems & Computing University of Bristol ------------------------ From jonathan.gazeley at bristol.ac.uk Fri Sep 14 16:06:04 2007 From: jonathan.gazeley at bristol.ac.uk (Jonathan Gazeley) Date: Fri Sep 14 16:06:10 2007 Subject: [LARTC] make tc stop! Message-ID: <46EA954C.4050406@bristol.ac.uk> I want to stop shaping from running on my box, without rebooting it. What's the best way to get rid of any tc rules? I have tried "tc qdisc del dev eth0 root" which appeared to be successful but traffic through my box is still very slow. Cheers, Jonathan ------------------------ Jonathan Gazeley ResNet | Wireless & VPN Team Information Systems & Computing University of Bristol ------------------------ From lartc at dervishd.net Fri Sep 14 18:24:23 2007 From: lartc at dervishd.net (DervishD) Date: Fri Sep 14 18:23:14 2007 Subject: [LARTC] make tc stop! In-Reply-To: <46EA954C.4050406@bristol.ac.uk> References: <46EA954C.4050406@bristol.ac.uk> Message-ID: <20070914162408.GC4917@DervishD> Hi Jonathan :) * Jonathan Gazeley dixit: > I want to stop shaping from running on my box, without rebooting it. > What's the best way to get rid of any tc rules? > I have tried "tc qdisc del dev eth0 root" which appeared to be > successful but traffic through my box is still very slow. The slow speed has probably another explanation, but the command above, if successful, will stop shaping in eth0 :?? Ra?l N??ez de Arenas Coronado -- Linux Registered User 88736 | http://www.dervishd.net It's my PC and I'll cry if I want to... RAmen! We are waiting for 13 Feb 2009 23:31:30 +0000 ... From shemminger at linux-foundation.org Fri Sep 14 23:04:28 2007 From: shemminger at linux-foundation.org (Stephen Hemminger) Date: Fri Sep 14 23:04:03 2007 Subject: [LARTC] make tc stop! In-Reply-To: <46EA954C.4050406@bristol.ac.uk> References: <46EA954C.4050406@bristol.ac.uk> Message-ID: <20070914230428.52446a0a@oldman> On Fri, 14 Sep 2007 15:06:04 +0100 Jonathan Gazeley wrote: > I want to stop shaping from running on my box, without rebooting it. > What's the best way to get rid of any tc rules? > I have tried "tc qdisc del dev eth0 root" which appeared to be > successful but traffic through my box is still very slow. > > Cheers, > Jonathan tc qdisc del dev eth0 root From mateusz-matusiak at wp.pl Sat Sep 15 13:36:25 2007 From: mateusz-matusiak at wp.pl (Mateusz Matusiak) Date: Sat Sep 15 13:36:54 2007 Subject: [LARTC] htb : server trafficcontrol Message-ID: <46ebc3b932656@wp.pl> Hi everyone, I have a small problem. I have my debian server setup in my home. I have setup htb that is working perfectly. The only problem I have is to control the traffic server <-> internet I have a daemon (bittorrent) and I would like to limit its download to a certail amount. How can I do that ? I have tried layer7 but it seems I'm doing something wrong in the htb script. Any idea how to control that traffic (serv <-> net) Its the same problems with apt etc etc When I use it, it uses the entire amount of bandwidth... With Kind Regards Matt ---------------------------------------------------- Ka?dy morderca jest czyim? s?siadem... Fascynuj?cy thriller NIEPOK?J - w kinach OD 14 wrze?nia! http://klik.wp.pl/?adr=http%3A%2F%2Fadv.reklama.wp.pl%2Fas%2Fniepokoj.html&sid=23 From karme at berlios.de Sat Sep 15 15:37:11 2007 From: karme at berlios.de (Jens Thiele) Date: Sat Sep 15 15:37:30 2007 Subject: [LARTC] htb : server trafficcontrol In-Reply-To: <46ebc3b932656@wp.pl> (Mateusz Matusiak's message of "Sat\, 15 Sep 2007 13\:36\:25 +0200") References: <46ebc3b932656@wp.pl> Message-ID: <87lkb8t5h4.fsf@thialfi.karme-net.hirschau> On 15 Sep 2007, mateusz-matusiak@wp.pl wrote: > Hi everyone, > > I have a small problem. I have my debian server setup in my home. > I have setup htb that is working perfectly. > The only problem I have is to control the traffic server <-> internet > > I have a daemon (bittorrent) and I would like to limit its download to > a certail amount. How can I do that ? > > I have tried layer7 but it seems I'm doing something wrong in the htb > script. > > > Any idea how to control that traffic (serv <-> net) > > Its the same problems with apt etc etc When I use it, it uses the > entire amount of bandwidth... > > > With Kind Regards > Matt Assuming your server does NAT for your LAN you probably want to use IMQ Greetings Jens From marek at piasta.pl Sat Sep 15 17:42:24 2007 From: marek at piasta.pl (Marek Kierdelewicz) Date: Sat Sep 15 17:43:14 2007 Subject: [LARTC] htb : server trafficcontrol In-Reply-To: <46ebc3b932656@wp.pl> References: <46ebc3b932656@wp.pl> Message-ID: <20070915174224.109853a3@catlap> >Any idea how to control that traffic (serv <-> net) > >Its the same problems with apt etc etc When I use it, it uses the >entire amount of bandwidth... You can shape download to server on ingress using IFB: http://linux-net.osdl.org/index.php?title=IFB IMQ could also be helpfull, but IFB is included in vanilla kernels. IMQ isn't and never will be. Cheers, Marek Kierdelewicz From karme at berlios.de Sat Sep 15 18:43:14 2007 From: karme at berlios.de (Jens Thiele) Date: Sat Sep 15 18:43:35 2007 Subject: [LARTC] htb : server trafficcontrol In-Reply-To: <20070915174224.109853a3@catlap> (Marek Kierdelewicz's message of "Sat\, 15 Sep 2007 17\:42\:24 +0200") References: <46ebc3b932656@wp.pl> <20070915174224.109853a3@catlap> Message-ID: <87wsurzxp9.fsf@thialfi.karme-net.hirschau> On 15 Sep 2007, marek@piasta.pl wrote: > You can shape download to server on ingress using IFB: > http://linux-net.osdl.org/index.php?title=IFB But AFAIK at the moment practically only if there is no NAT involved (or if you do not want to classify de-nated traffic). Any news regarding this problem? Greetings Jens From salatiel.filho at gmail.com Sun Sep 16 05:43:00 2007 From: salatiel.filho at gmail.com (Salatiel Filho) Date: Sun Sep 16 05:43:18 2007 Subject: [LARTC] doubt about bridge qdisc Message-ID: Hi guys, i have a little doubt ; I have eth0 ethernet and eth1 wireless , and they are bridged in br0 Is there any difference in the behavior between do tc qdisc add dev br0 root sfq OR tc qdisc add dev eth0 root sfq && tc qdisc add dev eth1 root sfq -- []'s Salatiel "O maior prazer do inteligente ? bancar o idiota diante de um idiota que banca o inteligente". From marek at piasta.pl Sun Sep 16 09:48:00 2007 From: marek at piasta.pl (Marek Kierdelewicz) Date: Sun Sep 16 09:49:02 2007 Subject: [LARTC] htb : server trafficcontrol In-Reply-To: <87wsurzxp9.fsf@thialfi.karme-net.hirschau> References: <46ebc3b932656@wp.pl> <20070915174224.109853a3@catlap> <87wsurzxp9.fsf@thialfi.karme-net.hirschau> Message-ID: <20070916094800.5e7a481d@catlap> >But AFAIK at the moment practically only if there is no NAT involved >(or if you do not want to classify de-nated traffic). >Any news regarding this problem? Suppose we have simple router with upstream interface connected to internet (eth0) and downstream interface connected to lan (eth1). Lan uses private addressing so there is NAT rule used for traffic leaving eth0. You can redirect lan->internet traffic from ingress qdisc of eth1 to ifb0. Traffic on ifb0 will be in "before-nat" state, so private address based shaping will be possible. So no need for classifying de-nated traffic. Some people here on lartc list shared opinions that shaping in ingress is not effective. It worked for me well on routers with hundreds of clients. Cheers, Marek Kierdelewicz From rabbit+list at rabbit.us Sun Sep 16 11:53:55 2007 From: rabbit+list at rabbit.us (Peter Rabbitson) Date: Sun Sep 16 11:54:02 2007 Subject: [LARTC] Yet another shaping question Message-ID: <46ECFD33.1030302@rabbit.us> Hello list, I need to realize a complicated custom shaping setup, and given very little experience with shaping I just can't wrap my head around it. I am not seeking a complete script, I just need an idea/a set of pointers on how to best subdivide traffic accordingly to my needs, and which shapers to place on every leaf. I am very experienced with netfilter and have minor experience with HTB so keep it concise and technical. Enough blabber here is the setup: ----------- ----------- - wan_a - - wan_b - - 1.1.1.1 - - 5.5.5.5 - - 1.1.1.2 - - - ----------- ----------- \ / \ / ---------------------- - Server/Router - ---------------------- / \ / \ ------------ ------------ - lan_a - - lan_b - - 10.1.0.0 - - 10.2.0.0 - ------------ ------------ * Both wan links are synchronous, so excessive queuing is not a problem * Traffic from both lans is balanced between both 1.1.1.1 and 5.5.5.5 using the statistic/random match, and every connection is kept where it started using CONNMARK * The default gateway of Server is either 1.1.1.1 or 5.5.5.5, adjusted depending on the circumstances * 1.1.1.2 is used only by a specific process (PROC) on the Server and nothing else, all other services listen on 0.0.0.0 * The network of lan_a is a /24 logically subdivided into 4 /26 segments: A1 A2 A3 and A4 Here are the goals: =================== * All small packets get best treatment no matter where they come from. I am not sure what "small" exactly is but I obviously want to serve ARP, SYN, ACK, small TCP (HTTP requests, SSH sessions) and small UDP (skype) with utmost priority. * If I understand correctly I do not have much control on what comes FROM the internet destined for processes on the Server itself, so it is left as is. * The rest of the traffic coming FROM the internet is forwarded with diminishing priority to: A1 A2 A3 lan_b A4 * Outgoing traffic TO the internet is sent with this priority: A1 A2 A3 Server lan_b A4 PROC I sort of imagine how to do every single one of these, but when it comes to combining it all I can't figure it out. Any help would be greatly appreciated. From raghuvendra.kumar at bhartitelesoft.com Sun Sep 16 12:16:30 2007 From: raghuvendra.kumar at bhartitelesoft.com (Raghuvendra Kumar) Date: Sun Sep 16 12:15:42 2007 Subject: [LARTC] using tc to drop packets based on the diffserc or tos value Message-ID: Hi all, I am wondering if anyone can help me to resolve a problem. I am trying to use tc command in linux to drop udp packets of specific diffserv value. I am able set diffserv value successfully in the udp packet using command:- [root@scotch src]#iptables --table mangle --append OUTPUT \ --out-interface eth0 --protocol udp --source-port 5060 \ --jump DSCP --set-dscp 8 but i am not able to drop a packet with a specific diffserv value. i have worked out a command, but its not working:- [root@scotch src]#tc filter add dev eth0 protocol ip u32 match ip dsfield 8 police drop its showing error "Illegal "match". Can any one of you guide me , what is the correct way of doing it. Its imporatnt, Please post reply ASAP. Raghuvendra Raghuvendra Kumar | BTSL 414 | Ext 011-41619770 | Desk +91-9818143739 | Mobile raghuvendra.kumar@bhartitelesoft.com | EMail From karme at berlios.de Sun Sep 16 17:31:05 2007 From: karme at berlios.de (Jens Thiele) Date: Sun Sep 16 17:31:14 2007 Subject: [LARTC] htb : server trafficcontrol In-Reply-To: <20070916094800.5e7a481d@catlap> (Marek Kierdelewicz's message of "Sun\, 16 Sep 2007 09\:48\:00 +0200") References: <46ebc3b932656@wp.pl> <20070915174224.109853a3@catlap> <87wsurzxp9.fsf@thialfi.karme-net.hirschau> <20070916094800.5e7a481d@catlap> Message-ID: <87lkb6d3uu.fsf@thialfi.karme-net.hirschau> On 16 Sep 2007, marek@piasta.pl wrote: > Suppose we have simple router with upstream interface connected > to internet (eth0) and downstream interface connected to lan (eth1). > Lan uses private addressing so there is NAT rule used for traffic > leaving eth0. > > You can redirect lan->internet traffic from ingress qdisc > of eth1 to ifb0. Traffic on ifb0 will be in "before-nat" state, so > private address based shaping will be possible. So no need for > classifying de-nated traffic. Yes, this is of course possible. But then you don't shape the traffic from/to the server itself which is what the original poster wants to do. > Some people here on lartc list shared opinions that shaping in ingress > is not effective. It worked for me well on routers with hundreds of > clients. It works for me quite well, too. (And IMHO would work really well if ECN would be in widespread use) (using IMQ + kernel 2.6.18 - as long as nobody floods me with UDP packets ;-) Greetings Jens From nozo at ziu.info Sun Sep 16 22:36:33 2007 From: nozo at ziu.info (Michal Soltys) Date: Sun Sep 16 22:36:50 2007 Subject: [LARTC] using tc to drop packets based on the diffserc or tos value In-Reply-To: References: Message-ID: <46ED93D1.3090703@ziu.info> Raghuvendra Kumar wrote: > Hi all, > > [...] > > [root@scotch src]#tc filter add dev eth0 protocol ip u32 match ip dsfield 8 police drop > > its showing error "Illegal "match". > > Can any one of you guide me , what is the correct way of doing it. > Its imporatnt, Please post reply ASAP. > For instance: tc qdisc add dev eth0 root handle 1: hfsc default 99 # (.. remaining classes / etc. ..) tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 \ match ip dsfield 0x08 0xff action drop Remember that mask is mandatory. Also check out doc/actions directory for info about extended actions in iproute tarball. Out of curiosity - why not just: iptables -A OUTPUT -o eth0 -p udp --sport 5060 -j DROP ... or with something like -j REJECT --reject-with icmp-port-unreachable, depending on your needs. Assuming it's not just for testing purposes, and you actually want to drop the traffic generated by your host from that particular port. From iloose2 at gmail.com Mon Sep 17 00:04:36 2007 From: iloose2 at gmail.com (William Gemmill) Date: Mon Sep 17 00:04:41 2007 Subject: [LARTC] Dual Connections with Soekris net4801and Pyramid Linux Message-ID: <2056e8ae0709161504r7a09815egbcd6b446ed39941@mail.gmail.com> I'm trying to connect to two ISPs the connections are as follows: Eth0 IP: 192.168.1.1 Mask: 255.255.255.0 Eth1 IP: 216.167.217.241 Mask: 255.255.255.0 Eth2 IP: 216.167.208.40 Mask: 255.255.255.0 Here are the commands to set things up: #Load modules insmod /lib/modules/2.6.19.2- pyramid.metrix.net/kernel/net/ipv4/multipath_drr.ko insmod /lib/modules/2.6.19.2-pyramid.metrix.net/kernel/net/ipv4/multipath_random.ko insmod /lib/modules/2.6.19.2- pyramid.metrix.net/kernel/net/ipv4/multipath_wrandom.ko insmod /lib/modules/2.6.19.2- pyramid.metrix.net/kernel/net/ipv4/multipath_rr.ko #Source IP routing for Eth2 ip rule add from 216.167.208.40 lookup 2 ip route add 192.168.1.0/24 via 192.168.1.1 table 2 ip route add 0/0 via 216.167.208.1 table 2 #Source IP routing for Eth1 ip rule add from 216.167.217.241 lookup 3 ip route add 192.168.1.0/24 via 192.168.1.1 table 3 ip route add 0/0 via 216.167.217.1 table 3 ip route add default equalize \ nexthop via 216.167.208.1 dev eth2 \ nexthop via 216.167.217.1 dev eth1 #Setup NAT iptables -F -t filter iptables -F -t nat iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE When the ip route add default equalize command is run it adds one default route to the routing table: pyramid:~# route -vn Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 216.167.217.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 216.167.208.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 0.0.0.0 216.167.208.1 0.0.0.0 UG 0 0 0 eth2 However looking at ip route show both routes are present: pyramid:~# ip route show 216.167.217.0/24 dev eth1 proto kernel scope link src 216.167.217.241 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1 216.167.208.0/24 dev eth2 proto kernel scope link src 216.167.208.40 default equalize nexthop via 216.167.208.1 dev eth2 weight 1 nexthop via 216.167.217.1 dev eth1 weight 1 If I change the order of the routes for the ip route equalize command the first route listed there is always show in the routing table. But the route that is not listed by route -vn is always used. I do not understand why a single default gateway is being added. To my understanding no default gateways should be shown by route -vn. I have recompiled the kernel to include CONFIG_NETFILTER_NETLINK Any suggestions? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20070916/963ae057/attachment.html From yangfang at fudan.edu.cn Mon Sep 17 05:25:56 2007 From: yangfang at fudan.edu.cn (yang,fang) Date: Mon Sep 17 05:31:48 2007 Subject: [LARTC] Question on traffic control Message-ID: <0JOH0021GTHOG3@mail.fudan.edu.cn> Hi, everyone. I'm newbie to TC. Now, I want to control my gateway traffic with tc. I have a typical linux gateway server (CentOS 5) Requirement is as follows: 1. Total bandwidth is 10M (either up or down) 2. Each PC in the subnet (192.168.0.0/24) should be limited to 1M bandwidth, so that no single PC can expend too much bandwidth. How can I carry it out? I am not quit familiar to tc. After reading some articles, I find set-mark with iptables and handle mark with tc might be good. Must I add more than 250 rules in iptables or tc? Does it result in low efficiency? Massive thanks. Best regards, yfang From raghuvendra.kumar at bhartitelesoft.com Mon Sep 17 06:20:36 2007 From: raghuvendra.kumar at bhartitelesoft.com (Raghuvendra Kumar) Date: Mon Sep 17 06:19:54 2007 Subject: [LARTC] using tc to drop packets based on the diffserc or tos value In-Reply-To: <46ED93D1.3090703@ziu.info> Message-ID: Hi Michal, Thanks for your much needed suggestion. Actually i have a video Delivey server(suppose it supports 240 simultaneous calls). It takes request from various users for video delivery. Now suppose if i want that after load reaches to 200, i should only allow premium users.In order to identify, non- preimum user,i check their diffserv value and drop their packets.This helps me to achieve QOS. Problem is that i have read various tutorials of tc but i am yet not comfertable. Default settings on my machine is: - [root@scotch root]# ip link list 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:02:b3:f1:89:0c brd ff:ff:ff:ff:ff:ff 3: eth1: mtu 1500 qdisc noop qlen 1000 link/ether 00:02:b3:f1:89:0d brd ff:ff:ff:ff:ff:ff 4: sit0: mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 Can i user filter on the default qdisc attached on the eth0.If then how? (although i read somewhere that there is very little customization that we can do the default qdisc)? If i used some classful qdisc than how would i restore my default setting? Do we have better way achieving the same? Can you suggest me some useful tutorials? Please do reply. Regards, Raghuvendra Kumar | BTSL 414 | Ext 011-41619770 | Desk +91-9818143739 | Mobile raghuvendra.kumar@bhartitelesoft.com | EMail -----Original Message----- From: Michal Soltys [mailto:nozo@ziu.info] Sent: Monday, September 17, 2007 2:07 AM To: Raghuvendra Kumar Cc: 'lartc@mailman.ds9a.nl' Subject: Re: [LARTC] using tc to drop packets based on the diffserc or tos value Raghuvendra Kumar wrote: > Hi all, > > [...] > > [root@scotch src]#tc filter add dev eth0 protocol ip u32 match ip dsfield 8 police drop > > its showing error "Illegal "match". > > Can any one of you guide me , what is the correct way of doing it. > Its imporatnt, Please post reply ASAP. > For instance: tc qdisc add dev eth0 root handle 1: hfsc default 99 # (.. remaining classes / etc. ..) tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 \ match ip dsfield 0x08 0xff action drop Remember that mask is mandatory. Also check out doc/actions directory for info about extended actions in iproute tarball. Out of curiosity - why not just: iptables -A OUTPUT -o eth0 -p udp --sport 5060 -j DROP ... or with something like -j REJECT --reject-with icmp-port-unreachable, depending on your needs. Assuming it's not just for testing purposes, and you actually want to drop the traffic generated by your host from that particular port. From raghuvendra.kumar at bhartitelesoft.com Mon Sep 17 08:36:09 2007 From: raghuvendra.kumar at bhartitelesoft.com (Raghuvendra Kumar) Date: Mon Sep 17 08:35:35 2007 Subject: [LARTC] using tc to drop packets based on the diffserc or tos value In-Reply-To: <46EE1662.4040900@vsnl.com> Message-ID: Thanks. one more thing. I am using a iptable command to match dscp value and drop corresponding packets. iptables -A INPUT -o eth0 -p udp -m --dscp 0x08 -j DROP is the syntex of the command correct? its showing following error: - iptables v1.2.8: Couldn't load match `--dscp':/lib/iptables/libipt_--dscp.so: cannot open shared object file: No such file or directory what should i do resolve the problem? Regards, Raghuvendra Kumar | BTSL 414 | Ext 011-41619770 | Desk +91-9818143739 | Mobile raghuvendra.kumar@bhartitelesoft.com | EMail -----Original Message----- From: Mohan Sundaram [mailto:mohan.tux@gmail.com] Sent: Monday, September 17, 2007 11:24 AM To: Raghuvendra Kumar Subject: Re: [LARTC] using tc to drop packets based on the diffserc or tos value Raghuvendra Kumar wrote: > Hi Michal, > > Thanks for your much needed suggestion. > > Actually i have a video Delivey server(suppose it supports 240 simultaneous calls). > It takes request from various users for video delivery. > > Now suppose if i want that after load reaches to 200, i should only allow > premium users.In order to identify, non- preimum user,i check their diffserv > value and drop their packets.This helps me to achieve QOS. > You can send premium customer traffic thro' a high prio class. This way, non-premium traffic will always be accorded lower priority and thus dropped if choke occurs. TOS marks must work. Another mechanism is to use fwmark in iptables and classify using mark in tc. Mohan From lists at andyfurniss.entadsl.com Mon Sep 17 23:12:29 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Mon Sep 17 23:12:36 2007 Subject: [LARTC] make tc stop! In-Reply-To: <46EA954C.4050406@bristol.ac.uk> References: <46EA954C.4050406@bristol.ac.uk> Message-ID: <46EEEDBD.1050808@andyfurniss.entadsl.com> Jonathan Gazeley wrote: > I want to stop shaping from running on my box, without rebooting it. > What's the best way to get rid of any tc rules? > I have tried "tc qdisc del dev eth0 root" which appeared to be > successful but traffic through my box is still very slow. You could also try tc qdisc del dev eth0 ingress and repeat both on all interfaces. Andy. From lists at andyfurniss.entadsl.com Mon Sep 17 23:19:53 2007 From: lists at andyfurniss.entadsl.com (Andy Furniss) Date: Mon Sep 17 23:19:54 2007 Subject: [LARTC] tc not matching In-Reply-To: <46EA4170.3020203@bristol.ac.uk> References: <46D5843C.6020606@bristol.ac.uk> <46D7045D.6080407@andyfurniss.entadsl.com> <46D7700C.4050105@andyfurniss.entadsl.com> <46E7CEC7.6060806@bristol.ac.uk> <46E85031.9090609@andyfurniss.entadsl.com> <46E91054.6070105@bristol.ac.uk> <46E9CB07.6070101@andyfurniss.entadsl.com> <46EA4170.3020203@bristol.ac.uk> Message-ID: <46EEEF79.5010708@andyfurniss.entadsl.com> Jonathan Gazeley wrote: > Andy Furniss wrote: >> That's strange - so there are no vlans involved and tcpdump -nnei eth0 >> only sees traffic coming in? > Nope, no vlans. And yes, both tcpdump and tethereal see only on the > outgoing (i.e. clients to internet) ack packets, but not the actual > incoming data packets. Like I said, it can't be a routing problem > because the only physical route those packets can take between the NAT > clients and the internet is via eth0 on this box. All four interfaces on > the box I'm using are Intel ones, so not just some cheap rubbish! > Probably unlikely to be drivers too? That's very strange - If the drivers are in the kernel and the kernel is recent then you would hope it's not them, but it's something to suspect. > Yep - just tried this too. Again, this appears to have zero effect on > the bandwidth. Client 1 still downloads flatly at 166kb/s and Client 2 > at 250kb/s. Something pretty weird is going on. Actually a colleague > here has offered to set up a Cisco router to do the shaping and let my > box just do the NAT. Start of term is imminent and this MUST be live > within a week! Thanks for all your help though, you've been excellent > and I've learned loads of stuff. As a relative beginner with Linux, this > is yet another experience where something didn't work as it should, > despite the advice of documentation, colleagues, lists, websites, etc... It seems you've been unlucky, I can't really explain what you see. Hope the Cisco goes OK for you. Andy. From mateusz-matusiak at wp.pl Tue Sep 18 01:15:41 2007 From: mateusz-matusiak at wp.pl (Mateusz Matusiak) Date: Tue Sep 18 01:15:54 2007 Subject: [LARTC] server traffic control Message-ID: <46ef0a9db71b9@wp.pl> Hi, Thank you very much for your replies. I have tried the ingrees - it didn't work for me (probably bad configuration). But I'll try to learn that later. I'm doing an N+ certification so it takes lots of my time atm. I have 2 additional questions if that isn't a problem. Q1 : I'm trying to limit bittorrent traffic from my server. I have patched my kernel and iptables using layer7. Any idea how to limit incoming(download and upload is someone knows) bittorrent traffic ? Q2 : Also if I will place 2 network cards in my server and both of them will be connected to my ADSL router(via 2 seperate ethernet cables) then which card will be used to communicate with the internet ? Thank you very much for your help --regards Matt ---------------------------------------------------- Graczu komputerowy, wybierz najlepsze gry roku! G?osuj i wygrywaj! Patroni medialni: Wirtualna Polska, 4fun.tv, Radiostacja Imperatory7: http://klik.wp.pl/?adr=http%3A%2F%2Fimperatory.wp.pl&sid=30 From marco.casaroli at gmail.com Tue Sep 18 05:33:11 2007 From: marco.casaroli at gmail.com (Marco Aurelio) Date: Tue Sep 18 05:33:26 2007 Subject: [LARTC] doubt about bridge qdisc In-Reply-To: References: Message-ID: <92ed523b0709172033g4489019ek3313f89a8101ebf5@mail.gmail.com> On 9/16/07, Salatiel Filho wrote: > Hi guys, i have a little doubt ; > I have eth0 ethernet and eth1 wireless , and they are bridged in br0 > > Is there any difference in the behavior between do > > tc qdisc add dev br0 root sfq > > OR > > tc qdisc add dev eth0 root sfq && tc qdisc add dev eth1 root sfq > > Yes. Only local traffic is passed trough br0 and only all interface traffic is passed trough each interface. > > -- > []'s > Salatiel > > "O maior prazer do inteligente ? bancar o idiota > diante de um idiota que banca o inteligente". > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Marco Casaroli SapucaiNet Telecom +55 35 34712377 ext. 5 From vadtec at vadtec.net Tue Sep 18 07:55:12 2007 From: vadtec at vadtec.net (Vadtec) Date: Tue Sep 18 07:55:43 2007 Subject: [LARTC] I'm having an issue with u32 masking Message-ID: <46EF6840.90305@vadtec.net> Hello again all, I'm proud to say that with the help of a good friend and some serious tinkering, I have finally figured out filtering within tc. But alas, I am having an issue I know I should not be having. I am trying to filter all IRC traffic on my network so that it neither consumes large amounts of band width nor gets to little band width. I originally wanted to filter just ports 6660-6669 but quickly realized that the bit masking wouldn't allow for a single rule to cover them, so I opted instead to filter ports 6656-66671 which would give me the use of all 4 bits in that range. For reference, 6656 = 0x1a00, 6671 = 0x1a0f. As such, I have the following rules in my setup: eth0 egress to the internet (eth0 is the external interface): tc filter add dev eth0 parent 1: protocol ip prio 0 u32 \ match ip protocol 6 0xff \ match u16 0x1a00 0x1a0f at 22 \ flowid 1:10 eth1 egress to the LAN (eth1 is the internal interface): tc filter add dev eth1 parent 2: protocol ip prio 0 u32 \ match ip protocol 6 0xff \ match u16 0x1a00 0x1a0f at 20 \ flowid 2:10 Now, to further verify that these bit masks do indeed work, I used a simple C app that I have had for several years now to do the verification. Here is the output from this C app: (Be sure to view this in a fixed width font so that everything lines up correctly) Start: 6655 End: 6675 6655 masked by 6671: 6159 Bit Field: 0001100111111111 Bit Mask: 0001101000001111 Bit Result: 0001100000001111 No Match! 6656 masked by 6671: 6656 Bit Field: 0001101000000000 Bit Mask: 0001101000001111 Bit Result: 0001101000000000 Match! 6657 masked by 6671: 6657 Bit Field: 0001101000000001 Bit Mask: 0001101000001111 Bit Result: 0001101000000001 Match! 6658 masked by 6671: 6658 Bit Field: 0001101000000010 Bit Mask: 0001101000001111 Bit Result: 0001101000000010 Match! 6659 masked by 6671: 6659 Bit Field: 0001101000000011 Bit Mask: 0001101000001111 Bit Result: 0001101000000011 Match! 6660 masked by 6671: 6660 Bit Field: 0001101000000100 Bit Mask: 0001101000001111 Bit Result: 0001101000000100 Match! 6661 masked by 6671: 6661 Bit Field: 0001101000000101 Bit Mask: 0001101000001111 Bit Result: 0001101000000101 Match! 6662 masked by 6671: 6662 Bit Field: 0001101000000110 Bit Mask: 0001101000001111 Bit Result: 0001101000000110 Match! 6663 masked by 6671: 6663 Bit Field: 0001101000000111 Bit Mask: 0001101000001111 Bit Result: 0001101000000111 Match! 6664 masked by 6671: 6664 Bit Field: 0001101000001000 Bit Mask: 0001101000001111 Bit Result: 0001101000001000 Match! 6665 masked by 6671: 6665 Bit Field: 0001101000001001 Bit Mask: 0001101000001111 Bit Result: 0001101000001001 Match! 6666 masked by 6671: 6666 Bit Field: 0001101000001010 Bit Mask: 0001101000001111 Bit Result: 0001101000001010 Match! 6667 masked by 6671: 6667 Bit Field: 0001101000001011 Bit Mask: 0001101000001111 Bit Result: 0001101000001011 Match! 6668 masked by 6671: 6668 Bit Field: 0001101000001100 Bit Mask: 0001101000001111 Bit Result: 0001101000001100 Match! 6669 masked by 6671: 6669 Bit Field: 0001101000001101 Bit Mask: 0001101000001111 Bit Result: 0001101000001101 Match! 6670 masked by 6671: 6670 Bit Field: 0001101000001110 Bit Mask: 0001101000001111 Bit Result: 0001101000001110 Match! 6671 masked by 6671: 6671 Bit Field: 0001101000001111 Bit Mask: 0001101000001111 Bit Result: 0001101000001111 Match! 6672 masked by 6671: 6656 Bit Field: 0001101000010000 Bit Mask: 0001101000001111 Bit Result: 0001101000000000 No Match! 6673 masked by 6671: 6657 Bit Field: 0001101000010001 Bit Mask: 0001101000001111 Bit Result: 0001101000000001 No Match! 6674 masked by 6671: 6658 Bit Field: 0001101000010010 Bit Mask: 0001101000001111 Bit Result: 0001101000000010 No Match! 6675 masked by 6671: 6659 Bit Field: 0001101000010011 Bit Mask: 0001101000001111 Bit Result: 0001101000000011 No Match! So, as you can see, if I mask the u16 with 0x1a0f (6671), tc should match both the source and destination port within the range of 6656-6671...but it does not. Having watched the output of "watch -d -n 1 tc -s filter show dev eth0" and "watch -d -n 1 tc -s filter show dev eth1", and having played with the port to start checking from (IE: 0x1a0c, 0x1a0d, 0x1a0d, etc), I have come to the conclusion that TC is ONLY matching on the original port that a gave it. It does not in fact match on any port within the given range of ports that I provide in the masks. Just as a case of verifying my method, I also tried (in my C app) the following: 6656-6675 masked by 0xfff0 (65520) - matches on ports 6656 and 6672 6656-6675 masked by 0x1a07 (6663) - matches on ports 6656-6663 I even went the extra step of verifying (most of) the bit masks by hand (grid paper is wonderful). So, in short, I know that my bit mask is working just fine. Is this how tc is supposed to work? Does it only match on the value it is given based on whether or not the mask matches? IE: u16 0x1a00 0x1a0f at 22 (dest port 6656 ONLY), u16 0x1a0b 0x1a0f at 22 (dest port 6667 ONLY) If so, how can you match a range of ports (in my example, or a range of anything for that matter) in tc? Any help is greatly appreciated. Vadtec From nozo at ziu.info Tue Sep 18 10:44:42 2007 From: nozo at ziu.info (Michal Soltys) Date: Tue Sep 18 10:44:13 2007 Subject: [LARTC] I'm having an issue with u32 masking In-Reply-To: <46EF6840.90305@vadtec.net> References: <46EF6840.90305@vadtec.net> Message-ID: <46EF8FFA.6070707@ziu.info> Vadtec wrote: > Is this how tc is supposed to work? Does it only match on the value it > is given based on whether or not the mask matches? IE: u16 0x1a00 0x1a0f > at 22 (dest port 6656 ONLY), u16 0x1a0b 0x1a0f at 22 (dest port 6667 ONLY) > > If so, how can you match a range of ports (in my example, or a range of > anything for that matter) in tc? > Try: match u16 0x1a00 0xfff0 Mask is first applied to the value in the packet, then it's tested against your (0x1a00) value. From h.hoxha at atnet.al Tue Sep 18 10:00:23 2007 From: h.hoxha at atnet.al (hhoxha) Date: Tue Sep 18 12:38:28 2007 Subject: [LARTC] htb on Gigabit Interfaces Message-ID: Hi every body I have a linux server with Intel(R) Xeon(TM) CPU 3.20GHz , and 2 Gigabit of RAM , kernel version 2.6.22.6 , and 2 Intel 82541PI Gigabit Ethernet controllers In simple situation i would like to limit bandwidth for 2 customers 1) ( to 34 Mb/s ) and 2) 68 Mb/s . My conf is as below ///////////////////////////////////////////////////// #IFACE FACONG THE CUSTOMERS /sbin/tc qdisc add dev eth0 root handle 1:0 htb #IFACE FACING THE INTERNET /sbin/tc qdisc add dev eth1 root handle 1:0 htb /sbin/tc class add dev eth0 parent 1:0 classid 1:1 htb rate 150mbit quantum 30000 /sbin/tc class add dev eth1 parent 1:0 classid 1:1 htb rate 150mbit quantum 30000 #second customer download /sbin/tc class add dev eth0 parent 1:0 classid 1:2 htb rate 68mbit ceil 68mbit quantum 30000 #seconf customer upload /sbin/tc class add dev eth1 parent 1:0 classid 1:2 htb rate 68000kbit ceil 68000kbit quantum 30000 # first customer download /sbin/tc class add dev eth0 parent 1:0 classid 1:3 htb rate 34mbit ceil 34mbit quantum 30000 # first customer upload /sbin/tc class add dev eth1 parent 1:0 classid 1:3 htb rate 34mbit ceil 34mbit quantum 30000 #then iptable classify rules #TO_FIRST CUSTOMER /opt/sbin/iptables -t mangle -I POSTROUTING -o eth0 -d $DESTINATIONIP -j CLASSIFY --set-class 1:2 #FROM_FIRST CUSTOMER /opt/sbin/iptables -t mangle -I POSTROUTING -o eth1 -s $SOURCEIP -j CLASSIFY --set-class 1:2 #TO_SECOND CUSTOMER /opt/sbin/iptables -t mangle -I POSTROUTING -o eth0 -d $DESTINATIONIP -j CLASSIFY --set-class 1:3 #FROM_SECOND CUSTOMER /opt/sbin/iptables -t mangle -I POSTROUTING -o eth1 -s $SOURCEIP -j CLASSIFY --set-class 1:3 ///////////////////////////////// For the customer with 34 Mb/s of bandwidth i can hardly reach 8 Mb/s and at this point i can notice an increased number of packets in the htb scheduler queue . With the tc ( htb disabled ) the line rate of nearly 100 Mb.s of the customer can be reached easily Is there any special tunning or conf that should be done considering the gig interfaces in place Thank you Hysen Hoxha AlbTelecom Albania From P.Kaagman at atlascollege.nl Tue Sep 18 16:28:34 2007 From: P.Kaagman at atlascollege.nl (Peter Kaagman) Date: Tue Sep 18 16:28:38 2007 Subject: [LARTC] Got stuck when a traffic shapping script Message-ID: <6BEC0BC0C32DBE4480920A1A1DA06D25A28165@MERCURIUS.atlas.atlascollege.nl> Hi there list, I got stuck when making tc rules to divide bandwidth between RDP client and the rest of our Internet traffic. Given the following problem: We have a school with around 900 students and staff in a temporary location (an old wodka factory ;)) on around 100 workstations. The maximum bandwidth we could get was 1536 kbit. So we decided to let the staff work in our normal network via remote desktop. Around 90 students using the Internet would fill up the bandwidth real soon... so I decided to use tc/htb to split up the bandwidth: RDP would get a rate of 768kbit ceiling 1536kbit The rest would get a rate of 768kbit ceiling 768kbit To accomplish this I wrote te following script: ====================snip====================== # /bin/sh # eth0: Internet uplink # root # 1: # | # base # 1536/1536kbit # _1:1_ # / \ # / \ # / \ # RDP Rest # 768/1536kbit 768/768bit # 1:10 1:20 # # root qdisc /sbin/tc qdisc add dev eth0 root handle 1: htb default 20 # root class for borrow 1536/1536mbit /sbin/tc class add dev eth0 parent 1: classid 1:1 htb rate 1536kbit ceil 1536kbit # class for RDP 768/1536kbit /sbin/tc class add dev eth0 parent 1:1 classid 1:10 htb rate 768kbit ceil 1536kbit # class for Rest 768/1536kbit /sbin/tc class add dev eth0 parent 1:1 classid 1:20 htb rate 768kbit ceil 768kbit # filters # HTB rules should be attached to the root # RDP traffic goes to class 1:10 /sbin/tc filter add dev eth0 protocol ip parent 1:1 prio 1 u32 match ip sport 3389 0xffff flowid 1:10 /sbin/tc filter add dev eth0 protocol ip parent 1:1 prio 1 u32 match ip dport 3389 0xffff flowid 1:10 ======================snap====================== But this does not seem to work... and I would very much like to have some help on this... starting to feel like I have lost my sanity. Peter PS In the traffic shaping HOWTOs I see a graphing tool being used to demonstrate the working.... what tool is that? I've wipped up something with Perl and RRDtools to accomplish this.... but I am always wondering if I am looking at the right data. PPS The original filter rules were: /sbin/tc filter add dev eth0 protocol ip parent 1: prio 1 u32 match ip sport 3389 0xffff flowid 1:10 /sbin/tc filter add dev eth0 protocol ip parent 1: prio 1 u32 match ip dport 3389 0xffff flowid 1:10 I changed the parent. From shemminger at linux-foundation.org Tue Sep 18 17:00:22 2007 From: shemminger at linux-foundation.org (Stephen Hemminger) Date: Tue Sep 18 17:00:40 2007 Subject: [LARTC] doubt about bridge qdisc In-Reply-To: <92ed523b0709172033g4489019ek3313f89a8101ebf5@mail.gmail.com> References: <92ed523b0709172033g4489019ek3313f89a8101ebf5@mail.gmail.com> Message-ID: <20070918080022.3d8eea46@freepuppy.rosehill.hemminger.net> On Tue, 18 Sep 2007 00:33:11 -0300 "Marco Aurelio" wrote: > On 9/16/07, Salatiel Filho wrote: > > Hi guys, i have a little doubt ; > > I have eth0 ethernet and eth1 wireless , and they are bridged in br0 > > > > Is there any difference in the behavior between do > > > > tc qdisc add dev br0 root sfq > > > > OR > > > > tc qdisc add dev eth0 root sfq && tc qdisc add dev eth1 root sfq > > > > > > Yes. Only local traffic is passed trough br0 and only all interface > traffic is passed trough each interface. > Also since bridge is a pseudo device it has no transmit queue so there is no qdisc involved. -- Stephen Hemminger From vadtec at vadtec.net Tue Sep 18 17:02:52 2007 From: vadtec at vadtec.net (Vadtec) Date: Tue Sep 18 17:03:23 2007 Subject: [LARTC] Re: LARTC Digest, Vol 31, Issue 25 In-Reply-To: <20070918100007.138FF4B47E@outpost.ds9a.nl> References: <20070918100007.138FF4B47E@outpost.ds9a.nl> Message-ID: <46EFE89C.2090003@vadtec.net> > > Message: 6 Date: Tue, 18 Sep 2007 10:44:42 +0200 From: Michal Soltys > Subject: Re: [LARTC] I'm having an issue with u32 > masking To: lartc@mailman.ds9a.nl Message-ID: > <46EF8FFA.6070707@ziu.info> Content-Type: text/plain; > charset=ISO-8859-1; format=flowed Vadtec wrote: >> > Is this how tc is supposed to work? Does it only match on the value it >> > is given based on whether or not the mask matches? IE: u16 0x1a00 0x1a0f >> > at 22 (dest port 6656 ONLY), u16 0x1a0b 0x1a0f at 22 (dest port 6667 ONLY) >> > >> > If so, how can you match a range of ports (in my example, or a range of >> > anything for that matter) in tc? >> > >> > > Try: > > match u16 0x1a00 0xfff0 > > Mask is first applied to the value in the packet, then it's tested > against your (0x1a00) value Can you please explain this further? You are saying that its ORed with the value? Or is it ANDed? Or maybe XORed? What operation are they applying to the value? Working from what I have done with other bit masking operations, I am assuming that the mask is ANDed with the value in the packet. Then I would assume you OR the check with the resulting value. But I am not sure. I would expect the mask to be applied to the value. It doesn't make sense to apply it to the check, because then you would simply match the highest possible value of the check+mask. Vadtec From karme at berlios.de Tue Sep 18 20:00:58 2007 From: karme at berlios.de (Jens Thiele) Date: Tue Sep 18 20:01:08 2007 Subject: [LARTC] doubt about bridge qdisc In-Reply-To: <20070918080022.3d8eea46@freepuppy.rosehill.hemminger.net> (Stephen Hemminger's message of "Tue\, 18 Sep 2007 08\:00\:22 -0700") References: <92ed523b0709172033g4489019ek3313f89a8101ebf5@mail.gmail.com> <20070918080022.3d8eea46@freepuppy.rosehill.hemminger.net> Message-ID: <87abrj26qt.fsf@thialfi.karme-net.hirschau> On 18 Sep 2007, shemminger@linux-foundation.org wrote: > Also since bridge is a pseudo device it has no transmit queue so there > is no qdisc involved. Just out of curiosity (I did not look at bridging details at all yet): Is this 2.6.x specific? Because on some linksys router with tomato firmware after a adding a qdisc to br0 i get: # uname -a Linux linksys 2.4.20 #43 Sun May 20 18:08:39 PDT 2007 m